I apologize if this is already asked a million times.
One of accounts on my server got hacked. An email spam sending script is injected and sending ton of emails to some random addresses.
I have cPanel/WHM on my server WHM 11.38.0 (build 5) Also it is CENTOS 5.9 x86_64
I usually don't use cPanel nor WHM I have it on this server from the start and later I was too busy to setup an non WHM based server.
What I did up until now:
- I blocked problematic account from sending emails at all from WHM
- I executed this command
exim -bp | grep \< | awk '{print $3}' | xargs exim -Mrm
since I got 70k emails in mail queue - I restarted the server
Currently I cant easily change password for that email account.
Is there a way to see what process exactly, or much better what script is sending those mails and where is it located?
Thank you in advance and if you need some additional info to help me just ask.
EDIT
I have looked in crontab for that user and there were nothing suspicious in it. Thank you in advance and if you need some additional info to help me just ask.
EDIT 2
Here is an screenshot of top command executed and I pointed to my suspect:
Aside from pointed process there are a lot of "mailnull" processes. What can I do about it?