it's a MySQL database.
He was provided with root access to set everything up. Since then, I've deleted openfire, created a fresh install, and changed all root/db/cpanel passwords.
Is there something he could have installed while he had root access that would constantly attack any openfire installation?