This is shot in the dark but I have a customer who keeps getting random files dropped into his domain. The hacker must have a backdoor somewhere or in several places to be able to add the file even after it's removed and in different places.

I just can't find it anywhere.

I was thinking I could do a file content search if there was a common denominator with all or most back door scripts. Like an upload snippet or something.

Thanks,
Charles

Sorry.

distribution - Centos
version - 6.5
hardware details - Intel server mobo, raid 10, 96 gigs of ddr ram, enterprise hard drives
application version - Apache 2.2 with CPanel
exact error messages where applicable. - In the web public space of the domain, /home/username/public_html/ there is a file that allows a hacker access to add more files which are being used to send mass email. Our system blocks the email from being sent but it still is an issue that the hacker can add files into the public domain.

The files that are added are using phpmailer to send the mail.

The file used to allow the hacker access we cannot find.

Wordpress or anything like that?

Yeah it has WHMCS a hosting manager script.

That is the only php files that are on the site. So it has to be in there somewhere and all the drop files are in the scripts folder as well which is kind of a clue.