Do you allow shell access to others? Remote connections through PHP/Perl? If not, then try to find which process it's coming from, and run some rootkit detection programs. I'd recommend running them anyways.
Ok your box has been definitely compromised. Please do a
ps auxww|grep kjournal
If the owner of this process is root (one kjournald will and will look like [kjournald]) you have no hope and the system will have to be rebuilt. You will need some experience in security to find out what happened. If the owner is not root there is some hope but you have to do the following:
- Find out how did it get there. If the process is owned by the apache user most likely it was some kind of cross scripting attack. Make sure you find out whats the vulnerable site and update it. It wont help if you rebuild the system before fixing this site because there are automated attacks so your systems will be compromised again. lsof is sometimes useful for this kind of problems.
- If the system was not compromised as root there is no need to rebuild the system but you still got to clean up the mess. See what kind of files the bad process has opened and how it affects your system. On compromises there is no specific cleanup that you have to do since the cleanup is specific to the attack.
- Although this is really bad, you can see it as a good thing since you will learn a lot from this process if its your first. Good luck
Increase email deliverability and know who clicked and opened your emails.
As a important side note, simply deleting folders / files wont make your problems go away. If they got there to begin with, you need to keep tracing back the problem to its source, not just clean up its work
You did notice the directory where the files where, right ?
Considering nothing will create this directory by itself, during the compromise it was created. So, somehow, someone was able to create a directory inside /usr/lib.
So even if the process is not running as root, it is a sure bet that at some point the compromise involved privileged (root) access.
Do you know how many servers I have seen that have had poor permissions or permissions changed on a directory in an attempt to "fix" a problem? Without more information we cannot give a definate answer as to if it was root compromised or not.