One time the hosting provider got compromised, FTP server exploit IIRC, they ran a recursive search and replace from root directory of the server.