Aw, screw it. I had this happen about six weeks ago; something got into my site and inserted a forwarding code onto multiple pages.
Now I’ve gotta go back through and fix each page. On the plus side, it looks like it hasn’t been this way for long; the WebFTP says everything was changed “Apr 25 03:06,” so it’s only been a day.
What’s aggravating is that I changed passwords last time, and it’s only hitting main directory pages for one URL, so I don’t know how the code is getting in. I remember reading that a lot of sites using WordPress software suffered the same attack, so I’ll search that out again after I clean up the pages.
Yep, looks like I’m not alone.
http://blog.sucuri.net/2011/04/mass-infections-globalpoweringgathering-com.html
“We first detected malware from globalpoweringgathering.com almost a month ago, and posted on our blog about it. But just on the last few days, we started to see a big increase in the number of sites infected with it.”