Originally Posted by Calibur747
WHM shows one at the following:
PID 412 (kjournald)
PID 1441 (kjournald)
PID 1491 ([kjournald]) /usr/lib/sshdlib/[kjournald /usr/lib/sshdlib
First, stop using WHM for this kind of thing. It is almost useless.
And yes, your host is compromised.. 412 is the real kjournald process.
You will also notice (if you use "ps auxww") that the real kjournald not only had a low pid, but it also has 0 RSS and VSZ.
/usr/lib/sshdlib/ ? Good bet you have some trace of the backdoor there, but not 100% sure. It can be anywhere.
So, in a nutshell, you are still compromised. And if the process has access to /usr/lib,
then you better rebuild your box from scratch, cause ... well, it is not your box anything. It is the hacker's.