When you say VPS, do you mean a virtual server, running in a virtualisation solution, like KVM?
300% CPU simply means its running on 3 cores at any one time. If its a virtual server, and been allocated 3 cores - if its doing something, all allocated CPUs should be busy, to find out what its doing, youll need to connect to the server, and run top, or ps there.
You can find out what the process is running by listing the exe link in the process directory: if the PID you see in top is 666, then execute
ls -l /proc/666/exe.
That will (or at least should) show a
-> arrow towards a file that you can analyze.
However, the name of the file is random, and that indicates with some confidence that your server has been compromised, and that you need to take immediate corrective actions which are out of the scope of this short answer. The best is to make sure that everything is backed up, and replace the VPS with an up-to-date OS. You want to determine how the intruder got in and make sure the new server does not have the same problem (change password, make sure any services offered to the Internet are secure, etc.)
I would issue
ps -ef and grep for the process. The columns in the
ps output are
UID, PID, PPID, C, STIME, TTY, TIME and
CMD. look at the
PPID column to determine which parent process launched
cER6XH. Re-issue the
ps command and grep for the parent process PID. Eventually, you should find out which binaries are involved and possibly track down which application should be investigated further.
An easier method (depending on how busy your system is) may be the
pstree command, but pipe the output to
less so you can view the pages of info in a sane way.
edit: reading the comment from @Law29: although the process name is a non-standard *nix utility and does look fishy, it's possible that another process you are running created a temporary shell script and forked something. The process name alone isn't a tell-tale sign of a compromise.