After several years with no problems, my server was apparently recently hacked.

The server has several FrontPage web sites, and each of those sites had the
following code inserted into the home page ...

<iframe width="0" height="0" src="http://www.mysurfhits.com"></iframe>
<iframe width="0" height="0" src="http://www.upperhits.com/index.php?id=onlyu"></iframe>
<iframe width="0" height="0" src="http://www.itsptp.com/promote.php?uid=4027"></iframe>
<iframe width="0" height="0" src="http://www.pay-ads.com/ads.php?usr=onlyu"></iframe>
<iframe width="0" height="0" src="http://neoffic.com/t/?id=onlyu"></iframe>
<iframe width="0" height="0" src="http://dxptp.com/ptp.php?usr=onlyu"></iframe>

Which looks like it is intended to benefit "onlyu", who is probably an affiliate of four
of the listed sites.

I removed the code and changed the password to the server. But a few days later this
code reappeared ...

<iframe height="0" width="0" src="http://www.upperhits.com/index.php?id=onlyu" name="I1"></iframe>
<iframe height="0" width="0" src="http://www.pay-ads.com/ads.php?usr=onlyu" name="I2"></iframe>

I changed the password again and removed several users from the list of users
in the computer. But a few days later this code appeared ...

<iframe width="0" height="0" src="http://www.upperhits.com/index.php?id=kingbox88"></iframe>
<iframe width="0" height="0" src="http://www.pay-ads.com/ads.php?usr=kingbox88"></iframe>

Comparing the three groups of code, I'd say it was done by a human and
not some sort of Trojan bot.

Does anyone have experience with this particular problem, or general
advice about how to deal with it.

Thomas T

hello Thomas.
it looks like to me that your web application have been hacked, and not your server.
have you checked out the event viewer before removing those users? check all login logs..

I'd wonder about the platform you're using to host php sites? Are you using a CMS Mambo, Joomla, postnuke, phpnuke?