Prevent PHP Scripts from being executed

Everyday I get this type of alerts from my CSF/LFD.

Code:

-------------------------------------------------------------------
Time:         Wed Mar 20 09:08:27 2019 -0400
Account:      mvandammeadmin
Resource:    Virtual Memory Size
Exceeded:     480 > 400 (MB)
Executable:  /opt/cpanel/ea-php56/root/usr/bin/php-cgi
Command Line: /opt/cpanel/ea-php56/root/usr/bin/php-cgi
PID:          17598 (Parent PID:4946)
Killed:       No
-------------------------------------------------------------------

It executes some PHP scripts even though some of these users don't even have a website so no PHP enabled.
I suspect they use it to send spam from my server.
I've been making some scans with maldet, and it always finds some threats like below.
I've deleted the quarantine as well, but they always come back.
How can I
1. Get rid of them
2. Prevent these users to execute PHP scripts

Code:

-------------------------------------------------------------------
PATH:       
TOTAL FILES:  624239
TOTAL HITS:    13
TOTAL CLEANED: 0
FILE HIT LIST:
{HEX}php.malware.magento.594 : /home/labellev/logs/example.net-Mar-2019.gz => /usr/local/maldetect/quarantine/example.net-Mar-2019.gz.1351819726
{HEX}php.malware.magento.594 : /home/gruadmin/logs/gruman.be-Mar-2019.gz => /usr/local/maldetect/quarantine/examplen.be-Mar-2019.gz.253081703
HEX}php.malware.magento.594 : /home/pitadmin/logs/example.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.2465528531
{CAV}Win.Malware.Tspy-6881358-0 : /home/noureddine/mail/new/1510582942.M291710P29496.host.example.com,S=723485,W=732951 => /usr/local/maldetect/quarantine/1510582942.M291710P29496.host.example.com,S=723485,W=732951.901425328
{HEX}php.malware.magento.594 : /home/bswiadmin/logs/bswi.org-Mar-2019.gz => /usr/local/maldetect/quarantine/example.org-Mar-2019.gz.614021638
{HEX}php.malware.magento.594 : /home/belilanadmin/logs/example.com-Mar-2019.gz => /usr/local/maldetect/quarantine/example.com-Mar-2019.gz.1486125888
{HEX}php.malware.magento.594 : /home/cofigestionadmin/logs/example.x-Mar-2019.gz => /usr/local/maldetect/quarantine/example.x-Mar-2019.gz.1505625503
{CAV}Win.Dropper.Noon-6859637-0 : /home/abscompadmin/mail/example.tld/bens7361/new/1550059523.M898897P13920.host.example.com,S=356673,W=362542 => /usr/local/maldetect/quarantine/1550059523.M898897P13920.host.example.com,S=356673,W=362542.124011249
{CAV}Doc.Dropper.Agent-6894268-0 : /home/tactical5/mail/new/1536953117.M439893P10375.host.example.com,S=54107,W=54843 => /usr/local/maldetect/quarantine/1536953117.M439893P10375.host.example.com,S=54107,W=54843.2397617671
{CAV}Rtf.Exploit.CVE_2018_0802-6825822-0 : /home/tactical5/mail/new/1526991608.M30806P16669.host.example.com,S=40566,W=41146 => /usr/local/maldetect/quarantine/1526991608.M30806P16669.host.example.com,S=40566,W=41146.25329486
{CAV}Rtf.Dropper.Agent-6857133-0 : /home/tactical5/mail/example.0/simon/new/1544467112.M472641P9416.host.example.com,S=69343,W=70316 => /usr/local/maldetect/quarantine/1544467112.M472641P9416.host.example.com,S=69343,W=70316.2357125895

{HEX}php.malware.magento.594 : /home/eukoshermen/logs/example.eu-Mar-2019.gz => /usr/local/maldetect/quarantine/example.eu-Mar-2019.gz.571425162

{HEX}php.malware.magento.594 : /home/kriwinadmin/logs/example.be-Mar-2019.gz => /usr/local/maldetect/quarantine/example.be-Mar-2019.gz.56134332