/usr/local/apache/bin/httpd -t

It could be a php exploit. You really need to identify the PID of one of those processes, then run:

lsof | grep PID

It will likely spew out a load of normal apache files, but if it's an exploit, one of them won't be right. Likely, it will have a file open in /tmp or /var/tmp of /dev/shm

 

Oh, I see, you're looking at the stats within cPanel. I guess that could be innocent. You really need to monitor the server from shell using top

You can usually tell if you've got problem services by running the following and seeing if any unexpected ports are open:

netstat -lpn

 

Did u ever run a httpd -t for syntax check?

Anup

 

Try ps -u nobody

and ps -axfu

And post your results. That could be apache, as Cpanel's process list is slow, and a joke really, or it could be a hanging around process running from a spawned apache process.

 

I do something like this every time I get on one of my servers (there always seem to be some rogue nobody processes with psybnc's running in them)

Code:

ps auxw | grep nobody

I find the pid of the most-suspicious looking httpd process (sometimes they even have extra characters or arguments padded at the end of them), and do this:

Code:

ls -la /proc/pid

So, if the process id was something like 1533, then I would type

Code:

ls -la /proc/1533

You should be able to tell just by looking at that whether it's legitimate. You might also be able to get further information from

Code:

cat /proc/pid/environ

Good luck!