Hmm. Might be a process masking the command line. Not sure if there’s a way to do this through htop, top, ps, etc. but you can get the PID (number usually shown in the first column in htop) then do ls -l /proc/1234/exe (where 1234 is the PID) and you’ll be able to see the path of the executable.
Go to the cPanel account and then go to CPU and Concurrent Connection Usage - it’ll show you snapshots of processes that are being ran when the account is maxing out on CPU. This will be more accurate than what is shown on top and go down to a specific PHP file (if it’s PHP).
From there you can delete whatever it is and then go into WHM and kill the processes on the account, or have the host do it for you.
If it’s a simple html+php website, backup the website, check all files and clean what needs to be cleaned, delete cPanel account, create a new one and upload the clean backup.
In case of wordpress, download the list of plugin/theme names, screenshot all the settings, backup the post and postmeta database tables.
Again, new cPanel account, install a fresh WP installation and recreate the website.
Also make sure to find how in the hell the website was hacked to begin with…
Maybe change to a webhosting that offers Imunify360 like MightWeb, and put the website behind CloudFlare. It’s still hackable but it would throw away any newbies and most likely automated tools too.
Manually deleting files can be hard because malware authors are getting good at hiding things. You’ll want to manually inspect pretty much every file and folder (including hidden files) on the cPanel account. Clamav rarely detects things for me, maybe try CXS scanning the single user. I think you can get a trial if you just want to screen this one account.
Check for any crons
You can use “Process Manager” in WHM to automatically kill all of that user’s processes without needing to hunt down each individual one
If it’s a Wordpress site, use Wordfence to find out of place files.
If it’s a Wordpress site, re-extract a clean Wordpress zip to overwrite all core files and restore their integrity (or any other CMS)
Like Max said, if you have Cloudlinux and are using snapshots you can sometimes find malware running through the cpu tab in cPanel: https://i.imgur.com/4PH3QdT.png
PHP doesn’t spin up one process per request though - that’s prohibitively expensive if you receive a large number of concurrent requests. Most people use PHP-FPM now, which uses a pool of workers to handle requests. Not sure if cPanel uses PHP-FPM, or if it’s still using the PHP Apache module.
I wonder if it’s scraping info about which scripts are being executed by the PHP workers, and correlating the PIDs.