All this tools can help you to track spam and infected scripts but experienced admin assistance is always needed.


Check this for tracking setup by using headers

Using maldet (Malware scanner)

Update Maldet

maldet -u 

Scan public_html folder of infected user account

maldet -a /home/USERNAME/public_html

Using ClamAV (Clam Antivirus)

clamscan -r /home/USERNAME/public_html | grep FOUND

If you have noticed that spamming started today then you can search files modified in eg. last two days

find /home/USERNAME/public_html -ctime -2 -name "*.php"

Injected encoded upload code
Mostly hackers inject encoded part of php code in your website files so that they could always spam from your account/server.
Check for encoded part of code mostly added as a first line in each file

grep -nr strtoupper /home/USERNAME/public_html |grep eval

or

for i in `find /home/USERNAME/public_html/ -name "*.php"`;do head -n 1 $i|grep "eval" && echo $i;done

Get only filenames

grep -nr strtoupper /home/USERNAME/public_html|grep eval|awk -F: {'print $1'}

Don’t forget that you can also check apache logs in folder
/usr/local/apache/logs/

How to remove hackers symlink files

find /home/USERNAME/public_html -name "*.php" -type l -exec unlink {} \;

Find all files modified between 2015-12-19 – 2015-12-20

find . -name "*.php" -newermt 2015-12-19 ! -newermt 2015-12-20 -type f
Don’t forget to install mod security with automatic update of rules within you CWP to prevent any further hacking of your sites.