You can do a search of the file system for files owned by those users with:
find / -user <username>

Running the rpm verification command should let you know which packages (including init) have been modified.

However, it's pretty safe to say that the system has been compromised and will need to be completely reformated and re-installed from trusted media (not from a backup).

hi

come on get working with tripwire fast
this will help in ur problems, or you need to kep loooking out for these users logged in more often from the comand u used
who -u with both utmp and wtmp.utmp will tell u about current users, wtmp contains the log,

regards

Capt_Caveman is correct. You need to do a full install from scratch, then add in Tripwire (which is on the RH9 CD 3), set up your firewall (iptables) carefully.
Then test aginst it using nmap (also on RH9 CD 2). Then download www.chkrootkit.org and set it to run via cron. Tripwire should have installed in cron automatically.
Check which services are running via menu: System Settings | Server Settings | Services and turn off all the ones you don't need. Do this immediately after the install.
Check if anything is needed running under xinetd.
Always use ssh/scp/sftp, never telnet, ftp, r* cmds.
HTH