All this tools can help you to track spam and infected scripts but experienced admin assistance is always needed.
Check this for tracking setup by using headers
Using maldet (Malware scanner)
Update Maldet
maldet -u
Scan public_html folder of infected user account
maldet -a /home/USERNAME/public_html
Using ClamAV (Clam Antivirus)
clamscan -r /home/USERNAME/public_html | grep FOUND
If you have noticed that spamming started today then you can search files modified in eg. last two days
find /home/USERNAME/public_html -ctime -2 -name "*.php"
Injected encoded upload code
Mostly hackers inject encoded part of php code in your website files so that they could always spam from your account/server.
Check for encoded part of code mostly added as a first line in each file
grep -nr strtoupper /home/USERNAME/public_html |grep eval
or
for i in `find /home/USERNAME/public_html/ -name "*.php"`;do head -n 1 $i|grep "eval" && echo $i;done
Get only filenames
grep -nr strtoupper /home/USERNAME/public_html|grep eval|awk -F: {'print $1'}
Don't forget that you can also check apache logs in folder
/usr/local/apache/logs/
How to remove hackers symlink files
find /home/USERNAME/public_html -name "*.php" -type l -exec unlink {} \;
Find all files modified between 2015-12-19 - 2015-12-20
find . -name "*.php" -newermt 2015-12-19 ! -newermt 2015-12-20 -type f
Other useful scripts for spam tracking
find . -type f -name '*.php' -print | xargs grep -i x29
find . -type f -name '*.php' -print | xargs grep -i x29|awk -F: {'print $1'}
find . -type f -name '*.php' -print | xargs grep -E '[0-9a-zA-Z/]{80}'
find . -type f -name '*.php' -print | xargs grep -E '[0-9a-zA-Z/]{80}'|awk -F: {'print $1'}
PHP Mail Log (sent from php scripts)
/usr/local/apache/logs/phpmail.log