To check the recent mail logs use

tail -f /var/log/exim_mainlog

Check for spamming if anybody is using php script for sending mail through home

tail -f /var/log/exim_mainlog | grep home

If anyone is spamming from /tmp

tail -f /var/log/exim_mainlog | grep /tmp

If mysql is causing load so you can check it using following commands.

root@serverxx [~]# mysqladmin -u root processlist
+----------+--------------+-----------+--------------+---------+------+----------------+------------------------------------------------------------------------------------------------------+
| Id       | User         | Host      | db           | Command | Time | State          | Info                                                                                                 |
+----------+--------------+-----------+--------------+---------+------+----------------+------------------------------------------------------------------------------------------------------+
| 12821547 | leechprotect | localhost | leechprotect | Sleep   | 616  |                |                                                                                                      |
| 12826137 | atmbizha_wp  | localhost | atmbizha_wp  | Sleep   | 29   |                |                                                                                                      |
| 12826322 | graamam_mal  | localhost | graamam_mal  | Sleep   | 1    |                |                                                                                                      |
| 12826362 | graamam_mal  | localhost | graamam_mal  | Query   | 6    | Sending data   | SELECT * FROM jos_phocaguestbook_items WHERE catid = 11 AND published = 1 ORDER BY ordering DESC     |
| 12826369 | graamam_mal  | localhost | graamam_mal  | Query   | 5    | Sorting result | SELECT * FROM jos_phocaguestbook_items WHERE catid = 7 AND published = 1 ORDER BY ordering DESC      |
| 12826371 | graamam_mal  | localhost | graamam_mal  | Query   | 5    | Sorting result | SELECT * FROM jos_phocaguestbook_items WHERE catid = 11 AND published = 1 ORDER BY ordering DESC     |
| 12826438 | graamam_mal  | localhost | graamam_mal  | Query   | 3    | Sorting result | SELECT * FROM jos_phocaguestbook_items WHERE catid = 16 AND published = 1 ORDER BY ordering DESC LIM |
| 12826461 | graamam_mal  | localhost | graamam_mal  | Query   | 1    | Sorting result | SELECT * FROM jos_phocaguestbook_items WHERE catid = 15 AND published = 1 ORDER BY ordering DESC LIM |
| 12826471 | root         | localhost |              | Query   | 0    |                | show processlist                                                                                     |
+----------+--------------+-----------+--------------+---------+------+----------------+------------------------------------------------------------------------------------------------------+

mysqladmin version

root@serverxx [~]# mysqladmin version
mysqladmin  Ver 8.42 Distrib 5.5.37, for Linux on x86_64
Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Server version		5.5.37-cll
Protocol version	10
Connection		Localhost via UNIX socket
UNIX socket		/var/lib/mysql/mysql.sock
Uptime:			21 days 3 hours 58 min 9 sec

Threads: 11  Questions: 319764693  Slow queries: 20120  Opens: 7106938  Flush tables: 1  Open tables: 400  Queries per second avg: 174.860
root@serverxx [~]# 

You can check if any backup is going on, run the following commands

ps aux | grep pkg
ps aux | grep gzip
ps aux | grep backup

We can trace the user responsible for high web server resource usage by the folowing command

cat /etc/httpd/logs/access_log | grep mp3
cat  /etc/httpd/logs/access_log | grep rar
cat  /etc/httpd/logs/access_log | grep wav etc

You can be used to check for DDOS attacks on the server.

cat /etc/httpd/logs/access_log | grep 408