jdMorgan - 8:04 pm on Apr 25, 2011 (gmt 0)

"(Several) hours later" sounds like a hack. Contact your host, and look for unknown scripts buried in both "unknown-to-you" and familiar directories. Compare filesizes and creation dates of all of your scripts to the original backups that you've kept separately. If the filesizes and dates don't match, that script may have been modified.

The first step is to stop the intrusions -- close the hole that allowed malicious users to get in to your server. Change all "webmaster and admin access" passwords, update all commercial scripts to the latest patch level. The second step is to replace the hacked code. Doing this in reverse order is not useful.

Jim