Good afternoon. Here are instructions that you can do in your case.
If a website is not working as it should be, it may a consequence of the activity of malicious scripts.
To solve the problem with malicious inserts and scripts, follow the instructions (from simple to more complex):
Check out the website online https://sitecheck.sucuri.net/.
This test can indicate a problem.
If the web site you recently installed additional software (plugins / themes), make sure that the source of this software is reliable.
Make sure that all plugins and themes that are currently being used on the site are not at risk and do not contain critical vulnerabilities.
Make a list of all your plugins.
Go to Google search -> Tools -> search for the last 3 months.
The search string "IMAPLOGIN critical vulnerability". This search will help you determine whether there was recently a critical vulnerability that could lead to hacking of the websites of your CMS.
Log in to the database or phpmyadmin in the control panel. Check the number of users, especially administrator rights. If there's a suspicious user, remove them.
Delete all the files from the root directory and database of website. Restore the website from backup.
Change the password to the hosting panel, control panel of the website, the database (you'll need to reconfigure the database connection in the code of the site).
Install a security plugin for your CMS. For wordpress sites, install iThemes Security.
Propargite access logs of the site to POST requests.
Contact your hosting company and ask for assistance in removing viruses and fixing vulnerabilities. This will most likely be a paid service.
Check the website for viruses and clean it.
Use the utility ai-bolit from revisium.
Download ai-bolit and run the test. Example:
php /root/aibolit/ai-bolit.php \
Malicious scripts can also be outside of the root directory of the website, so check the catalog to a higher level is a good practice. Change the key path: --path=/var/www/putlet/ You can access the report through the link: your_site.ru/vir.html
Review the report and clean the site from malicious insertions.
Clean the database from malicious insertions.
Manually check your website for malware and vulnerabilities.
After cleaning the site from viruses, antishell configure script.
Antishell checks the website for changes in the code and sends an email report if any changes were made. Using Antiblock, you can identify the time of injection and which scripts have been hacked. Having a specific breaking time, you can analyze access logs to find the IP address of the villain and his requests to the web site.
Make a backup copy of the site, cleared of inserts.
Unzip the archive into the root of the site to obtain the following structure: /your_site/antishell/antishell.php
Configure antishell.php (setup intuitive).
Configure the cron scheduler to run the script every 5 minutes:
Once the file(s) to the website will be changed and cron will run a check antishell, you should receive a letter.