Hi Ifx,
Sadly, you really don’t have many options, other than to recover the site from a good backup, and then fully lock it down against future hackers.
The damage has already been done, so there is nothing an outside person can do for you, without login access and a few hours of time to fix.
I recommend you first start by asking your host how far back their backups for your site go. Then backup to the oldest one you are comfortable in doing. That may just get you back up and running nicely again.
Then likewise, work to change all of your passwords, hosting company pass, FTP, email accounts and WordPress admin passwords.
Of course, make sure to update everything immediately following the recovery process.
If you’re able to take a look at a spam e-mail with full headers you can often track down the script/file responsible for it.
PHP has an option to add a custom X-HEADER to the email header part.
It’ll show which script has been responsible for sending the message.
This can be done by adding the following to php.ini:
mail.add_x_header = On
After adding this option you’ll have to wait until a new spam sample is captured and read the message headers looking for something like:
X-PHP-Originating-Script: 33:spammer.php
That will be the culprit. There is likely more than one of those files, so once you track down the one file take a look at the code and see if there are any distinguishing bits that can be used to track down the others.
You can search within the contents of a file by using the ‘grep’ command if you are using an SSH connection. If you have a recent copy of your site locally (or can download your site via FTP) you can just use a regular desktop search in that folder to see if you can find any other scripts/files that look similar.
But restoring from backup is much easier 🙂
