You can configure WHM to kill any of the following processes and send you an email when it finds one of them. Malicious users may run an IRC bouncer on their shell accounts even though this may be against your policy. WHM detects these processes correctly even if the bouncer is renamed (e.g. to something that appears non-malicious like “pine”, to give the impression that the user is just reading email).
Please check the names of any programs you do not want running on your server; we recommend that you check them all since letting users run IRC bots and servers usually leads to denial-of-service attacks.
Login to your WHM as root & access option System Health » Background Process Killer.
List users that you want the process killer to ignore, one per line, in the textbox. Note that root, mysql, named, cpanel, and users with UIDs below 99 are already considered trusted and do not need to be added to this list.
Our Linux Shared Hosting servers already have these processes disabled for maximum security.