Information Security

The problem with the security of the site on Bitrix, what is the source of external authorization saleanonymous?

Hello! Help the newbie, and don't swear too much if the questions seem naive....
In the Bitrix admin panel, the "small business" editors, in the Event log section, found that they periodically try to delete all clients registered on the site. Some of the clients have been deleted, some of the clients cannot be deleted due to Bitrix restrictions (you cannot delete a user with a current order).
Then I began to study the error logs on the hosting, and saw access errors with the tag "attack-injection" tags.
Since I did not perform mass procedures for deleting clients, I suspect that a certain script is running on the site that is trying to delete all users of the site.
Moreover, the deletion of users occurs every time from different ip, in several cases I noticed the coincidence of ip with the ip of the registered user, a couple of times the deletion occurred from my ip. I also noticed that a new user is constantly registering with mail like anonymous_****@example.com (**** - an arbitrary set of characters) and in his column "source of external authorization" in the list of clients there is an inscription - saleanonymous. I delete it, it reappears, and the notification of the registration of a new user with such suspicious registrations does not come to me.
Help fix the problem and answer the following questions:
1. What is the source of external user authorization on Bitrix and how to disable it?
2. how to stop deleting clients?
3. How to prohibit registration of new clients by mask, for example, with mail like *anonymous* or an external source of authorization?
4. And what is going on in general? Website broken?
PS: I wrote to the hoster - he says that he did not find anything suspicious. Bitrix support is silent.