Top and ps just simply shows httpd, it doesn't show the page being accessed. If I access the /server-status page for the server, it simply shows ubbthreads.php.
I understand that old 6.5.x versions had an exploit available. I don't believe I am affected by this. I can't find any cause for it. No extraneous user accounts, all ports can be accounted for via netstat, no hidden files or processes that I can find.
Here's my current load without shoutbox:
22:57:55 up 110 days, 7:54, 3 users, load average: 1.40, 1.72, 1.85
I just turned on the shoutbox and here's the load:
23:04:42 up 110 days, 8:01, 3 users, load average: 3.02, 2.41, 2.08
23:08:23 up 110 days, 8:05, 3 users, load average: 3.15, 2.68, 2.25
What I also don't get is that CPU, memory, and IO usage seem low enough that the load reporting shouldn't be this high. It's not touching swap.
88 processes: 87 sleeping, 1 running, 0 zombie, 0 stopped
CPU states: cpu user nice system irq softirq iowait idle
total 45.8% 0.0% 4.1% 0.3% 0.4% 0.0% 49.1%
cpu00 44.7% 0.0% 3.1% 0.0% 0.1% 0.0% 51.8%
cpu01 46.9% 0.0% 5.1% 0.7% 0.7% 0.0% 46.3%
Mem: 1538872k av, 1380464k used, 158408k free, 0k shrd, 121344k buff
771500k actv, 166136k in_d, 24252k in_c
Swap: 1156660k av, 0k used, 1156660k free 812496k cached
I have 230 people online viewing the forums right now. Pretty normal traffic with about a high of 300-325 maybe during the day.
I think there's too much of a coincidence.