I suspect one of my users has some exploited software on their site. My system is being rooted.

I have a startup script for root that emails me when root logs in. It is being triggered.

I do not have the expertise to find and remove this. Is there anyone on these boards who I can hire to help me out?

Please send a PM or reply to this if you can, .. or if you recommend anyone for this type of service.

I think that the general consensus amongst administrators is that once a system has been rooted/exploited/compromised the way you can be 100% sure of the system being clean is to backup your data and start afresh. However, in the mean time i suggest that you reset the root pw and check who has access to root aka who is in the 'wheel' group (check /etc/group).

I am a security analyst and can help you find the exact vulnerability, tell you who used it and how to fix it, and finally teach you at least how to upgrade you system periodically in order to avoid being vulnerable to well known exploits.

After that, I strongly suggest a fresh install of the entire system.

You may contact me temporarily on tillo.mirtillo@gmail.com, my personal email address is migrating and I may not receive the message.

I know that in this forum there are others consultants who may be happy to help you, probably floyd or smtalk.