Bruteforce from localhost?

[zEitEr]

Good day!

I've got a message from Directadmin on my FreeBSD box:

A new message or response with subject:

*** 127.0.0.1 has been added to the ip_blacklist file ***

But, i'm sure to have 127.0.0.1 in the /usr/local/directadmin/data/admin/ip.list

Is that a bug or someone's joke?
I've opened /var/log/directadmin/security.log.
Will you believe me, if i say, that there was 16010 lines of:

2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33286 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33287 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33288 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33289 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33290 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33291 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33292 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33293 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33294 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33295 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33296 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33297 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33298 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33299 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33300 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33301 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33302 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33303 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33304 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33305 times, unsuccessfully, this time into admin's account ***
2008:04:11-12:18:01: 127.0.0.1 has tried to log in 33306 times, unsuccessfully, this time into admin's account ***

21 tries per one second! That's the first time, i've ever seen such a thing.
That's not a script running with apache, i've tried to halt apache - that did not help.

netstat -a | grep LISTEN does not show any suspicious daemons.
rkhunter does not find anything unusual.

I've changed port 2222 to another, and removed Alias configure from httpd.conf.

What can it be? Rootkit? Or just a bug?
Will you help me to solve the problem?

 

[zEitEr]

Found.
It was a script running with cron.