I had this CPanel problem today, actually it’s been for quite some time but I didn’t get around to checking it until lately.
My CPanel server was in a compromised state, there was an old Sugar CRM installed on a virtual host that was quite old. That page got hacked and subsequently that virtual domain got hacked.
Long story short is it took me about 2 hours (it feels like) to tack things down, delete / move those compromised pages and kill the process sending out spam.
In the end run this commands:
ps -C exim -fH eww
Now, if you see “mailnull” running, KILL IT!
kill pid <– here
This is my output for the ps command:
UID PID PPID C STIME TTY STAT TIME CMD
mailnull 32274 1 0 12:15 ? Ss 0:00 /usr/sbin/exim -bd -q60m
I’d also recommend just checking your crontabs in any compromised account to make sure something won’t come back on you!
Supportexpertz posts here had a great script to iterate through all the users and show their crontabs and how to implement / run it! Thanks!