I had this CPanel problem today, actually it’s been for quite some time but I didn’t get around to checking it until lately.

My CPanel server was in a compromised state, there was an old Sugar CRM installed on a virtual host that was quite old.  That page got hacked and subsequently that virtual domain got hacked.

Long story short is it took me about 2 hours (it feels like) to tack things down, delete / move those compromised pages and kill the process sending out spam.

In the end run this commands:

ps -C exim -fH eww

Now, if you see “mailnull” running, KILL IT!

kill pid <– here

This is my output for the ps command:

UID        PID  PPID  C STIME TTY      STAT   TIME CMD
mailnull 32274     1  0 12:15 ?        Ss     0:00 /usr/sbin/exim -bd -q60m

I’d also recommend just checking your crontabs in any compromised account to make sure something won’t come back on you!

Supportexpertz posts here had a great script to iterate through all the users and show their crontabs and how to implement / run it!  Thanks!

http://www.webhostingtalk.com/showthread.php?t=885195