Hi,
In cPanel sometimes a lot of spamming mails can be generated if a PHP script is attacked . Which leads to abusing the VPS of the customer. To avoid this we can find out which script is vulnerable and is attacked by the hacker.
In order to locate the spamming script use the commands below
Run this command in terminal
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
it will get back some results like the directory location
Now locate all the directory listed
ls -lahtr <directory path > find the <php file> with the username that the mail is sending
Check which IP is using that .php mail id
grep <mailerfile> <directory path> | awk '{print $1}' | sort -n | uniq -c | sort -n If you find that IP is malicous then it can be blocked by following script
# apf -d <ip> Thats it