Locate spam scripts in Exim WHM

From time to time you might find that some scripts have been compromised for a particular user's website (Wordpress, Joomla, etc). To identify the directory from where these scripts are spammming you can run the following command in the terminal:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

You will receive a print out of which user directories are sending mails and the number of mails sent for each directory. For each directory you can run the following command to determine what scripts are contained therein:

ls -lahtr /someuser/public_html/data

Once you have identified the sneaky script you can run the following command to find the IP address which is calling this script and the number of times which each IP has accessed this script:

grep "sneakyscript.php" /home/someuser/access-logs/userdomain.com | awk '{print $1}' | sort -n | uniq -c | sort -n

Once you have identified the violating IP, you are able to block them in the firewall with the following command:

apf -d 56.34.87.128 "Spam script in /home/someuser/public_html/data"

Many thanks to Jacob Nicholson for the reference