you can try this:
Search for files with the line "mail("
or put maldet , or clamav , or
search for php files changed in the last day
find /var/www -type f -name '*.php' -mtime -1

Have you looked at the logs of the mail server itself? /var/log/ and there already, depending on how your server is installed.

I don't know the default options.
To quickly "shut up" the question, put on all files and directories that should not be changed the immutable attribute using chattr. This eliminates the ability to create or modify a file on disk until privileges are elevated to root. In the directories where temporary files are written, set .htaccess to prevent any files from being interpreted as executable.

php_flag engine 0
AddType "text/html" .php .cgi .pl .fcgi .fpl .phtml .shtml .php2 .php3 .php4 .php5 .asp .jsp

and forbid changing the file itself using immutable:
You can make a bash-python-php script run by cron that will run through the specified directory and subdirectories and check the list of files with the reference one and, finding "left" files or directories, will transfer them to a special quarantine directory inaccessible from the outside and immediately create a dump of system logs since its last run. This will allow you to get fragments of the logs immediately preceding the changes to the disk.
Run the script every minute, but keep track of the files according to the list according to the criteria name size times attributes. Do not look for anything inside the files so as not to load the server. If you find an alien file, move it to quarantine. Send yourself a notification at the end of the hour. After that, you will have material for analyzing the problem area.
Scripts that send spam are caught in another way. To do this, add rules to iptables that block SMTP traffic and write a log. For example:

-A OUTPUT -o br0 -p tcp -m state --state ESTABLISHED,RELATED -j ACCEPT
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -d 127.0.0.1 -j ACCEPT
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -m owner --gid-owner mail -j ACCEPT
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -m owner --uid-owner root -j ACCEPT
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -m owner --uid-owner smfs -j ACCEPT
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -j LOG --log-uid --log-prefix "Reject outgoing SMTP "
-A OUTPUT -o br0 -m state --state NEW -p tcp -m tcp --dport 25 -j REJECT --reject-with icmp-admin-prohibited

After that, set up your rsyslog or whatever you have, you can also use zabbix, so that it sends a notification when "Reject outgoing SMTP" entries appear in the log. In these rules, you see the permission to work with the mailer, so the script spammer will be able to send spam with a standard mailer. Make a time window for it, your task is to catch the spammer script and analyze the logs. Especially http what was called there and with what parameters. If you can do better, then generally prohibit broadcasting from all ports except the allowed 22, 80, and 443 (only very carefully: - do not deprive yourself of remote server management).
It is also possible to install a utility that will monitor changes in the directory and its attachments. For example, incron : Inotify cron system. It will monitor the specified directories and, as soon as the events you select occur, it will execute the script. And in the script to analyze the problem is this or a legal operation.
Of the promising features, patch php so that during operations and disk (creating and modifying files), it writes to a special journal. This is quite real, but php developers do not consider it important and necessary. Although I admit that I am poorly informed and they are already working or have made this feature.