Server Somehow Got Hacked

When I'm open any website it's working file and looking all ok. but if I change the user agent to google bot then it shows a spam betting app page.
i deleted all the files from the public_html directory but still it display the same page when I set the useragent as google bot.. but if open normally it shows forbidden as it should be..

Any idea where could the the issue is? I'm facing this issue after I did setup the new server on 6th sep. I installed nothing extra on the server from third party website except csf firewall from the github repo.

If you want to PM me the connection details, I could take a look on your behalf.

I'm trying to track these PHP Injection attacks.

Please advise the following:

What distro are you running CWP on?
What PHP version?

If you don't want it public, you can PM me also.

Thanks

I'm trying to track these PHP Injection attacks.

Please advise the following:

What distro are you running CWP on?
What PHP version?

If you don't want it public, you can PM me also.

Thanks

Almalinux 8
PHP Version: Default PHP version: 5.6.37 (Forced PHP-FPM: 8.3)

If you want to PM me the connection details, I could take a look on your behalf.

please do not mind.. it's hard to share these details. hope you understood..

Thank you

Are you talking about the server itself or just a account?
if is just a account, probably is related with THAT account or website in it.

Do you want to PM the domain name in question so we can see the page, look at the code -- or have you already done that?

all of the website in the server is same.. it's not for perticuler domain.. even If I delete all the files from a purticuler domain.. still showing spam page
example

for example.com I deleted all the files inside public_html/* complete blank public_html directory.. but if I view the website as google bot it'll show me the spam page.. but if I open it normally it's show forbidden as it should be..

Do you want to PM the domain name in question so we can see the page, look at the code -- or have you already done that?

my question is how could even a blank directory can show a web page when I change the user agent to googlebot (via browser developer tool)

BTW it has been fixed now by the CWP support team.. still I would like to know how it happen...

CWP Support found malware in the Apache server due to an old version.

Starburst has a guide for updating to Apache 2.4.65 on AlmaLinux 8/9:
https://starburst.help/control-web-panel-cwp/control-web-panel-cwp-admin-tutorials/update-apache-to-2-4-65-in-cwp-on-almalinux-8-9/