A successful CSF login will have a subject something along the lines of this:
lfd on <hostname>: SSH login alert for user <user> from <ip>
However, if the login fails a number of times, the subject would be this:
lfd on <hostname>: blocked <ip>
Therefore from the OP's post, it sounds like it was the former here.
If I were you, first thing I would do is run chkrootkit
or similar to try and determine if the server has been compromised or not.
I would also recommend checking your /etc/passwd
file to make sure that there are not users with shell access there that should not have.
It may also be worthwhile checking what happens when /usr/local/cpanel/bin/noshell
is executed, because there is always the possibility that it may have somehow been replaced with a working one.
Hope this helps.
madaboutlinux has posted some very useful suggestions above too, definitely check them out.