In your SSH, as root, run:
Based on this output, you can trackdown the infected website:
Code: Select all
lsof -i -n | grep php
Here we see that PHP running by the user "redcella" is making outgoing http/https connections to outside.
Now open Apache status, to find what site is under that account:
Click on "WEB"