Finally we have tracked down how my server was being hacked into. The attacker was able to upload a file called zq.php to "/var/www/html/roundcubemail-0.1.1/logs/zq.php" and was executed at http://seekqa.co.nz/roundcube/logs/zq.php. I have disabled that file. This is a bad one