It is an unfortunate fact of life that web servers get hacked, through many different vectors including outdated scripts, compromised CMS platforms, weak passwords and many, many others. In such situation, you may receive an abuse notification via email requesting that action be taken to stop outbound abusive behaviour from being carried out on your server.
First, let's grab a list of all processes running on the server, along with all of their gory details:
/bin/ps axfwwwe -eo ppid,pid,uid,cmd --sort=ppid
Usually this gives enough clues to find out the cheeky culprit, allowing you to begin killing processes (kill -9 XXX, etc) and deleting or moving the hacked files. If you're struggling and know that there is abusive behaviour occurring at this very moment, grabbing a list of all open files will give some extra insight:
/usr/sbin/lsof -Pwn
And finally, for that extra confirmation, we can use netstat to verify all currently active network connections which will give you the concrete evidence to find which processes are behaving badly:
/bin/netstat -anpe
Hopefully this helps you on your sysadmin cleanup journey!
