First of all I would like to apologise if the solution is on this board somewhere, i did search for 15 mins but I couldnt locate it, if you can point me to the thread then I would appreciate it.
On to the problem, running a top comes up with something like this:
PID USER PRI NI SIZE RSS SHARE STAT %CPU %MEM TIME CPU COMMAND
2851 nobody 25 0 3128 3128 1520 R 38.8 0.1 15:32 1 perl
9093 nobody 19 0 38648 37M 6808 R 5.4 1.8 0:00 0 httpd
8322 root 39 19 14444 14M 1740 D N 3.3 0.7 36:31 1 cpanellogd
6567 nobody 16 0 41860 40M 11712 R 1.1 2.0 0:03 0 httpd
3709 gwbaker 15 0 25292 24M 2164 D 0.4 1.2 0:24 0 spamd
8190 nobody 15 0 38752 37M 8452 R 0.1 1.8 0:00 1 httpd
The first perl process is the concern here. If i run top -ci it shows the perl process as "sendmail: accepting connections"
now i have tried kill -9 2815 which kills the process, but only for it to start up again instantly. This process is using a lot of cpu and I must admit I am quite inexperienced but since its using sendmail i am assuming it is something to do with a user spamming. because however it shows the user as nobody I cannot suspend their account and its causing a high load on our server. I would appreciate if anyone could help me as to tracking down what user it is, either by checking mail logs somewhere(?) or by finding out which user is running this perl script.
You should take a closer look and find out what exactly is that process as it might not be what you are thinking, your box might be compromised, i'm saying it just because it is showing as perl, as it might be some perl script being run as user nobody, after hacking apache/php