Domain and sub-domain issues/MySQL injection?

I have a client site I built and have maintained for years. The client asked me recently to make some changes. It was running Concrete 8.5.2 and PHP 5.6. So I decided to upgrade to 8.5.7 and PHP 7.13. I tested on my local copy using MAMP Pro and it seems to be working fine. My client is running their site on a Virtual Server running Apache. So I proceeded to upgrade the live site as well. After the upgrade, it seems, because I didn’t really go through the site before I updated it, seeing as though my local upgrade was fine, it started exhibiting very odd behavior. After a click or two on the main navigation, I started to see a random sub-domain appear in the URL of every link. So instead of domain.com/pagename I was seeing random-word.domain.com/pagename or random-word.domain2.com/pagename where domain2 was a domain the client actually owned but did not use. Once the sub domain appeared, it appeared in most links with the same word. I downloaded a copy of the SQL file, and the links were changed in the database! I took the copy and expunged all references to the sub-domain and the domain2 and reuploaded it to the server. It worked fine for a bit and then the bad URLs started appearing again. I tried this a couple of times with the same result. I scanned the site, I searched through the site manually, no indication of malware or errant code. Client deleted references to the second domain in the CPanel, I changed the passwords to both the CPanel and the MySQL user attached to the account and tried it again with the same result. Has anyone come across this and a solution? Barring wiping the virtual server and starting over or moving to another CMS I can’t think of anything else. Client likes Concrete (as do I), so we would prefer to keep it. Thanks.

Have you check all the Redirect code? Look in the config folders (\application\config\generated_overrides) site.php etc check nothing is in there.

If you give me Cpanel access I can take a look PM me!!