Then go to what should be running, both 'ps' and 'ss' will give you plenty of information. Check /etc/passwd for accounts that shouldn't have shell access. Check /var/log/auth.log for what accounts ...