Como o usuário bloqueado continua rodando?

Eu tenho um servidor comprometido, provavelmente um minerador de criptografia ou algo assim, htop relata isso:

30393 geauxsmar  20   0  5328  3984  2540 R 100.  0.1 21h26:45 [sync_supers]

Tranquei com:

sudo usermod --expiredate 1 geauxsmar
sudo passwd -l geauxsmar

Matou o processo ontem, eu volto no dia seguinte e ele está funcionando com 100% de uso da CPU enquanto o usuário está bloqueado?

Servidor rodando o Apache com dezenas de sites Drupal desatualizados (desde Drupalgeddon eu presumo que seja através do que os hackers entram no servidor, mas não há chance de rastrear qual site, qual arquivo, mesmo depois de consertar, eles provavelmente já deixaram backdoors, arquivos personalizados e injetou os bancos de dados).

atualizado:

root@www1 / # ls -al /proc/30393/
total 0
dr-xr-xr-x   9 geauxsmart geauxsmart 0 Apr 29 16:09 .
dr-xr-xr-x 156 root       root       0 Apr 26 11:39 ..
dr-xr-xr-x   2 geauxsmart geauxsmart 0 May  2 08:15 attr
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 auxv
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 cgroup
--w-------   1 geauxsmart geauxsmart 0 May  2 08:15 clear_refs
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 cmdline
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 comm
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 coredump_filter
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 cpuset
lrwxrwxrwx   1 geauxsmart geauxsmart 0 May  2 08:15 cwd -> /run/shm/.FILE (deleted)
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 environ
lrwxrwxrwx   1 geauxsmart geauxsmart 0 May  2 08:15 exe -> /usr/bin/perl
dr-x------   2 geauxsmart geauxsmart 0 May  2 08:15 fd
dr-x------   2 geauxsmart geauxsmart 0 May  2 08:15 fdinfo
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 gid_map
-r--------   1 geauxsmart geauxsmart 0 May  1 07:55 io
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 limits
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 loginuid
dr-x------   2 geauxsmart geauxsmart 0 May  2 08:15 map_files
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:09 maps
-rw-------   1 geauxsmart geauxsmart 0 May  2 08:15 mem
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 mountinfo
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 mounts
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 mountstats
dr-xr-xr-x  13 geauxsmart geauxsmart 0 May  2 08:15 net
dr-x--x--x   2 geauxsmart geauxsmart 0 May  2 08:15 ns
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 numa_maps
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 oom_adj
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 oom_score
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 oom_score_adj
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 pagemap
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 personality
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 projid_map
lrwxrwxrwx   1 geauxsmart geauxsmart 0 May  2 08:15 root -> /
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 schedstat
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 sessionid
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 setgroups
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 smaps
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 smaps_rollup
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 stack
-r--r--r--   1 geauxsmart geauxsmart 0 Apr 29 16:18 stat
-r--r--r--   1 geauxsmart geauxsmart 0 May  1 07:55 statm
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 status
-r--------   1 geauxsmart geauxsmart 0 May  2 08:15 syscall
dr-xr-xr-x   3 geauxsmart geauxsmart 0 May  2 08:05 task
-rw-rw-rw-   1 geauxsmart geauxsmart 0 May  2 08:15 timerslack_ns
-rw-r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 uid_map
-r--r--r--   1 geauxsmart geauxsmart 0 May  2 08:15 wchan

e

root@www1 / # cat /proc/30393/cmdline
[sync_supers]root@www1 / #