The first thing to do is to look over your files using FTP, or the File Manager in the control panel, and look for a file which is causing the strange behaviour. Most often that will be the index page or the .htaccess file. If you notice anything in those files which shouldn't be there such as a redirect or link to a domain name you don't recognise, or obfuscated code, then that indicates the website has been compromised. If you do find something like that then you need to look at the date and time the file was last modified, which is shown in the File Manager and most FTP clients.

Then you can take a look through your website's access logs so see exactly what requests were made to your website at the time the file was modified. Website access logs can be downloaded from the Log File Download page in the control panel. Older log files are compressed with GZIP so they can be extracted with a program such as 7-Zip. The log files are Apache combined access logs, so you can find out what each part of an entry means in the documentation here.

Out of the two HTTP methods that a website can be accessed with, POST requests are much more likely to be to modify your files than GET requests so the main thing to look for is log file entries that contain POST. A GET request will only interact with your website as requested in the URL so would only be relevant if the URL looks suspicious, for example if it contains an embedded URL or name of a file you don't recognise. Additionally the HTTP response code will be 200 for a successful request, so often requests with other response codes can be ignored, though it is still possible that a file could have been modified before a response code was given.

If you find an access that relates to the file being modified then you would need to look at the file that request was made to. You can then look at the last-modified time on that file and look for an access in the logs that relates to that, and repeat the process as necessary. It may take a few steps to get to the original access, and that will point to the file in your website that the attacker was able to exploit. When you restore a clean backup of the website you can make sure to update or remove the part of the site.