.
Hmmmm. . . there is a hack going around which has not yet been fully explained.
At first it was thought to be only WordPress sites, then added Joomla sites, and now it appears it is not related to the specific application but the hosting service.
They gain access to the website and add some code to every file, and then delete their tracks.
Have you found any odd files or modified files?
The files have base64 encoded code so a search for "base64_decode" finds the code.
Some users have downloaded all their website files and run a search locally within those files.
Since it is actually a server hack, your example URL would seem to fit.
Appears they are actually trying to get access to the server.
This is being discussed in the Joomla security forum, and on the WordPress website, and on some security websites (
blog.sucuri.net/
).
It may be related to a hosting configuration.
GoDaddy and a couple others have been particularly hard hit.
But this still does not explain the one row deleted from the database.
.