Hello,After I sent this I found this post:
http://blog.rimuhosting.com/2012/09/20/finding-spam-sending-scripts-on-your-server/
Which says:With these in place your emails will have the following headers
X-PHP-Originating-Script: 33:ok.php
The 33 is the UID, the ok.php was the script sending me the spam.
So I didmailq#then to display one of the emails:
postcat -vq A2729AE31F
....#I found the X-PHP-Originating-Script:X-PHP-Originating-Script: 33:
checkoutDj4.php#thenupdatedblocate checkoutDj4.phpand here it is:
/usr/share/wordpress/wp-content/themes/itheme/checkoutDj4.phpI deleted this file and others who were created there on Dec 5th. Now how were they able to save a file in there?