Malware

How to find a virus that redirects to other sites with 1C Bitrix?

About a year ago, we encountered a problem - customers of an online store accessing from mobile devices and specifically from a mobile network (not WiFi), instead of our pages, got to the site on various advertising sites, including even 18+ content. You understand that customers are dissatisfied, reputation is deteriorating, search engines are downgrading in search results, imposing temporary blocks, and also marking us as a site that threatens the user's security - "The site may threaten the user's security, or violations of the rules of the search engine have been found on it. The presence of this problem is negative affects the position of the site in the search results.

We were able to find only "tails" that redirect to various sites, but the root of the problem, which generates such files, was not found.
The site works on CMS 1C-Bitrix, all security recommendations have been observed, user rights are delineated as it should, in general, everything that is recommended in such situations has been done.

How to detect this root, maybe you can trace the access to the PHP file from the logs, or something like that. In general, tell me how to deal with this. Or maybe someone can help personally.