I consider myself a beginner on managing server, I have some Linux knowledge, I understand some of the necessary command line code, and I know how to Google for some command to help me manage my server. I m a total newbie in server management.

My usual combo to set up a site are using Laravel Forge + Linode VPS, make use of the auto deployment and GUI, nothing much issue for maintaining the hosting.
One of my biggest fear happens before I went on a short trip last month. I am getting an email from Linode because one of my VPS has been compromised and sending out spam. Since every site in that VPS is using Git versioning control, I find out one of the sites has been injected some additional PHP script pretty fast. I think the hacker uploads these script through an outdated theme that I no longer in use. I backup the hacked site, planning to check it in future, remove the theme and restore the site to the previous version.

I thought I solved it, but I m wrong. The spam still keeps generated, and I can only disable the Sendmail service to avoid sending out any spam. After coming back from the trip and I m keep thinking how to solve this issue. Without much server knowledge, I don't know how to find out what causes this.
I decided to migrate to a new server after listening to the same recommendation from Linode support as well. After relocating to the new server, it still keeps generate spam and sending out; I disabled the Sendmail service on the new server again.
One of my server friends tell me to check the server process, monitor the ports, but I think the issue is not on the server. Most likely there are still some script somewhere that generate the spam.

I clear all the spam and start monitoring the mail queue, once the spam appears, I note down the time and trying to search for relevant logs. Finally, I find through the server logs there are some external calling for a PHP script within my upload folders. That's the reason why my server keeps generate spam. I didn't commit the upload folder to my git repo, which is why I didn't discover these scripts.

After removed these scripts, my server has been spam-free for the past 24 hours.