Cpanel whm server sending spam mail

We had a case when one of the customers complained of being blacklisted because his whm server was sending spam. We had to act fast in order to stop this. We did the following.

We logged in to cpanel server with root privileges via ssh, and run the following command to see who sends the most mail

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Ones we see which directory script should be located we can just remove it. In our case name was LLFF.php. Ones removed we run command below
to see which IP was using the malicious file.

grep "LLFF.php" /usr/local/apache/domlogs/username/domain.net | awk '{print $1}' | sort -n | uniq -c | sort -n
      3 41.105.69.56

Ones you find IP or IP’s you can block them on your cpanel or perimeter firewall.