Hi @fsf,
In addition to the excellent advice above (thanks all!) – in my experience, the likeliest cause for this is a malicious modification to your server side PHP code. Have a look e.g. at this thread.
The most common way for hackers to do things like this is to leverage an improperly configured files_dir (see config.inc.php). If your files_dir points to something inside the web root, that’s probably what was used to modify your PHP code.
Regards,
Alec Smecher
Public Knowledge Project Team