First the introduction:
I have a main account on a server using cpanel and some websites under this account. Two months ago I found two folders with random names like "Zxjj" and "nmid" to say something. I analyzed the php files inside. The files where doing some cloacking, showing a lot of "recipes" info and promoting subjects about Irán but showing something different to search engines. The directories were deleted.

Yesterday two new folders appeared again, I have a copy of them and analyzed them, this time I have no clue of what they do. [if someone is interested on seeing the code PM me]. This files have lines making reference to the htaccess... ouch.

I checked my htaccess and is fine, I already deleted everything.

Some details:
I use two cms I created myself. Secure, yes, verified. I also have a wordpress blog hosted at the server and nothing modified there, just the main folder of my main account on cpanel where I have installed openads.

The two folders appearing yesterday also have random names.

I already changed my cpanel-ftp password to something safer.

I know I have to analyze log files, but I can find any.

Any advice on how to begin checking the open door will be appreciated. Nothing has been deleted, the site is up but I know the danger like using my sites to do bad things, modifying content or adsense pub ids or whatever, even injecting files that will serve to the hackers in the future. I know.

Any advice welcome.

Thanks in advance.