Dear sir,
As a pentester and security researcher, I think this is a hack.
We can cleary see PHP is started without safe_mode with enables dangerous functions such as shell_exec.
The only reason behind encoding with base64 and eval the function is to obfuscate what's running.
Can you paste the full base64 string so I reverse it and see what code is beinng eval'ed ?
As this is showing in htop, it seem to be a really low skilled hacker as someone skilled would have hidden this from the process list. But maybe he's working on making it stealth right now so you should really not wait and speed up before something bad happens.
It might be a cryptoPHP infection.
Please paste me the base64 string this is the most important and it's missing from your description, but this is is clearly a hack.
You should kill this process and make a crontab if it runs automatically again.
Please PM, I would really like to find out what it is and identify what strain of malware lies behind this base64 string. You might be part of a DDOS or spam botnet. I hope for you it's not some kind of crypotPHP infection.
Make sure you have backups of all your files and DONT delete them, it surely started to infect other scripts and a backdoor might have already been put on your server in case you find out this (which you did).
You must find out what was done ASAP.
Regards,