I got a page last night about the load on one of my customer's servers being pretty high. I jumped on to find some random processes that were running as the apache user. Finding these processes isn't too difficult as long as you know what user apache typically runs as and where to find the PID of the real parent apache process. Here's an example:
$ ps -aef | grep apache | grep -v `cat /var/run/httpd.pid`
Any processes that are running that don't also have the PID of the parent in the process listing will be displayed. You can turn around and find more details about the process, where the executable really lives, command environment, and other useful details in the PID's directory on the /proc filesystem.
This particular customer had a few eggdrops running on his machine that can suck up valuable CPU cycles doing (usually) malicious things to other peoples boxes around the net. Getting rid of them will not only stabalize this host, but others out there. The next big task is to find-out how the applications got installed to begin with . Time to start digging through PHP code that allows file uploads and doesn't restrict file extentions.