Hello,

Take a look at this :
Pid Owner Priority Cpu % Mem % Command
19473 root 0 1.9 0.7 /usr/sbin/exim -1CeBi3-00054F-6g
19406 root 0 1.7 0.7 /usr/sbin/exim - mvCeBi0-00053J-I1
19431 root 0 1.7 0.7 /usr/sbin/exim
19443 root 0 1.7 0.7 /usr/sbin/exim
19484 root 0 1.7 0.7 /usr/sbin/exim
19490 root 0 1.7 0.7 /usr/sbin/exim
19404 root 0 1.5 0.7 /usr/sbin/exim
19476 root 0 1.5 0.7 /usr/sbin/exim
19480 root 0 1.3 0.7 /usr/sbin/exim
19495 root 0 1.3 0.6 /usr/sbin/exim
19487 mailnull 0 1.1 0.6 /usr/sbin/exim

Seems a lot of processes have been started on the Server by exim.
Also the Server load is high.

When I take a look at CPU/Memory/MySQL Usage, I find this :
User Domain %CPU %MEM Mysql Processes
root 12.10 9.52 2.0
Top Process %CPU 60.3 /usr/bin/perl -w /usr/sbin/eximstats
Top Process %CPU 11.0 /usr/sbin/exim -Mc 1Ce9wO-0002WN-Nv
Top Process %CPU 10.0 /usr/sbin/exim -Mc 1CeAil-0005W3-LF
mailnull 6.78 6.47 0.0
Top Process %CPU 12.0 /usr/sbin/exim -Mc 1CeBGd-0007VF-Ar
Top Process %CPU 11.0 /usr/sbin/exim -Mc 1CeBjf-0005Zs-LF
Top Process %CPU 5.0 /usr/sbin/sendmail -t -i

Could this be spammer tring to send bulk mails from the box ?

Did you had a look at your mail queue ?
As i see the stats, i could say something wrong is going on. As exim is include, you have big opportunities that its spam issue.

Any more details ?

Hope this helps.
Rom.

Well I did some Search & checked the mail headers.

I found out that 'nobody' is sending out the emails ...

For the time being I have disabled nobody to send email.

Is thier a way to find out which user user is associated with these mails ? or Can I find the Location of the Script sending out the mails ?

If you are not getting any reports it may just be a spam problem.
In most cases, if there is spam coming off your box you hardly need to look - someone WILL let you know if you let it go long enough.

Not saying this is a good way to do it, just saying that if nobody has reported it chances are it may not be spam.

If you run cpanel, in WHM you will see a link called 'manage mail queue' which will show you messages in the queue & the option to view them.

If you do in fact see there are a stack of messages there you may want to enable phpsuexec & suexec then wait for reports to come in. Doing this will send mail from the username@your.host.name and will make it easier for you to track.

There are other ways around it, of course, you could edit exim to log message scripts and so on but for the most part if they use a php script turning on phpsuexec then doing a simple ps aux will give you an idea of what may be going on.

You may also want to cd /var/log; tail -f exim_mainlog and see what you can see in there.

I already checked the mail queue ...
There are currently 25563 messages in the mail queue. :O

Also I do have Suexec enabled but still WHM Says nobody is running it.

1 more thing ... WHM Says this : suexec allows cgi scripts to run with the user's id. It will also make it easier to track which user has sent out an email. If suexec is not enabled, all cgi scripts will run as nobody.

I have Enabled Suexec from WHM ... does that mean only cgi scripts will run with username & if so how can we also force php scripts to run with username ?

You need phpsuexec to make php run as a user.

You will find this option in easyapache, in WHM (or by hand...).

In the case of WHM you will see it under Software -> Update Apache

Make sure you have PHP suEXEC Support & suEXEC Module.