index.php changed on its own

You site has been infected with malware. It will take some effort to clean it up, but it can be done. Basic steps are available via searching, and are out of scope for here, but to get started:

  1. Update WP core to latest, even if it already is.
  2. Update all themes and plugins. Remove plugins you don’t need.
  3. Look at all files on your site with your hosting place’s File Manager. Look for files with ‘funny’ code like your example. Delete them. Look at all PHP files, and ICO files (which are supposed to be graphical, but may contain ‘funny’ code).
  4. Remove all files that look suspicious.
  5. Reinstall WP core files again.
  6. Look inside your wp-config.php file for funny code. Keep a local copy of that.
  7. Change the password on your hosting plan.
  8. Change the password on your WP database. You’ll have to make that change in your wp-config.php file.
  9. Look at your users for any admin-level user that shouldn’t be there.
  10. Create a new admin-level user. Don’t name it ‘admin’. Use a strong password.
  11. Log in with that new admin-level user you created. Make sure you can. If you can, then delete the original admin-level user.
  12. Repeat step 5 (reinstall WP core files again)
  13. Update everything again.
  14. Make sure your hosting is using PHP version 8.x.
  15. Repeat steps 3 and 4 again.
  16. Repeat steps 12, 13,15,16 until you don’t find bad stuff
  17. Keep an eye on your system. Repeat steps 16 as needed.

Good luck.