Check this for tracking setup by using headers

Using maldet (Malware scanner)

Update Maldet

maldet -u 

Scan public_html folder of infected user account

maldet -a /home/USERNAME/public_html

Using ClamAV (Clam Antivirus)

clamscan -r /home/USERNAME/public_html | grep FOUND

If you have noticed that spamming started today then you can search files modified in eg. last two days

find /home/USERNAME/public_html -ctime -2 -name "*.php"

Injected encoded upload code
Mostly hackers inject encoded part of php code in your website files so that they could always spam from your account/server.
Check for encoded part of code mostly added as a first line in each file

grep -nr strtoupper /home/USERNAME/public_html |grep eval

or

for i in `find /home/USERNAME/public_html/ -name "*.php"`;do head -n 1 $i|grep "eval" && echo $i;done

Get only filenames

grep -nr strtoupper /home/USERNAME/public_html|grep eval|awk -F: {'print $1'}

Don't forget that you can also check apache logs in folder
/usr/local/apache/logs/

How to remove hackers symlink files

find /home/USERNAME/public_html -name "*.php" -type l -exec unlink {} \;

Find all files modified between 2015-12-19 - 2015-12-20

find . -name "*.php" -newermt 2015-12-19 ! -newermt 2015-12-20 -type f

Other useful scripts for spam tracking

find . -type f -name '*.php' -print | xargs grep -i x29
find . -type f -name '*.php' -print | xargs grep -i x29|awk -F: {'print $1'}
find . -type f -name '*.php' -print | xargs grep -E '[0-9a-zA-Z/]{80}'
find . -type f -name '*.php' -print | xargs grep -E '[0-9a-zA-Z/]{80}'|awk -F: {'print $1'}

PHP Mail Log (sent from php scripts)

/usr/local/apache/logs/phpmail.log