I have two rather new RH7.3 servers, which I installed without any patches (dumb- had never installed patches before). A couple of weeks ago both got infected with [different] strains of the Cinik (mod_ssl) worm. On machine "A" I shut down Apache for about a week, and left "B" running. On 10/5/02 I downloaded and installed RH patches for apache, bind, glibc, openssh, openssl, php and mod_ssl on both machines. I deleted the cinik stuff from /tmp. Machine "B" has been worm-free since. Cinik reappeared on machine "A" overnight last night -- process running and the usual suspect files back in /tmp. I happened to look in /var/log/cron (on the subject of cron I am rather clueless) and saw the following suspicious entries in the time frame when I believe the worm reappeared: Oct 13 05:20:00 archive3 CROND[25572]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:20:00 archive3 CROND[25573]: (root) CMD (/usr/lib/sa/sa1 1 1) Oct 13 05:25:00 archive3 CROND[25577]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:26:34 archive3 crontab[25622]: (apache) REPLACE (apache) Oct 13 05:27:00 archive3 crond[858]: (apache) RELOAD (cron/apache) Oct 13 05:27:29 archive3 crontab[25630]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25635]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25640]: (apache) REPLACE (apache) Oct 13 05:27:29 archive3 crontab[25645]: (apache) REPLACE (apache) Oct 13 05:28:01 archive3 crond[858]: (apache) RELOAD (cron/apache) Oct 13 05:30:00 archive3 CROND[25666]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Oct 13 05:30:00 archive3 CROND[25667]: (root) CMD (/usr/lib/sa/sa1 1 1) Oct 13 05:35:00 archive3 CROND[25670]: (root) CMD (/usr/bin/mrtg /etc/mrtg/mrtg.cfg) Any suggestions as to what the log entries mean (i.e. who did what to Apache?), and why cinik has reappeared? Also, can someone point me towards a resource about cron so that I may become less clueless? Thanks, Dick