Hi There, We have a number of servers running 8.2. One of them was recently hacked. We noticed that an IFRAME-tag was added to a few index.html files. This IFRAME-tag sends a URL to the client and forces the client to download malware from another server. It seems they tried to exploit a IE vulnerability this way. Further, the global PHP.INI was edited. The option 'auto-append' was set to '/etc/.app'. This file (.app) contains the same URL as the IFRAME-tag. This results in a behaviour that clients are getting awful pop-ups every time they request a php page. The file dates and times of the changed files were all lying in a small time frame of about 10 minutes. We didn't find anything unusual in the system logs etc. The only remarkable finding is that /USR/SBIN/CRON has been changed. It is 28024 bytes and its date and time is March 7, 00:55 hrs. (On our other servers (same OS version) this file is 23928 bytes and dated March 14, 2003.) Of course I googled but didn't find very much. This URL describes a 6KB worm on BSD-systems: http://craiu.pcnet.ro/papers/papers/exsee.html, but i doubt whether this is the cause in my case. At the time of the hack we were using: Apache 1.3.28 and 1.3.29 PHP 4.3.2 Cvsd 0.9.20 Openssl 0.9.6i Suse auto_update Webmin 1.131 - Is there anyone who knows more about this? - How can I see which code (worm) is added to the file CRON? - Does CVSD has any specific weaknesses which can be related to this? Thanks in advance for you help, Jeroen