Logins are flaky too, particularly at the root page. I suggest that you check all of the index.php and other php scripts within the folders on the server. It's likely to have been a JavaScript code injection that's edited some of the php files to include the redirect.
Script kiddies, eh?