I traced some suspicious requests in my server logs to a malicious php file in my coppermine folder.
Long story short; when I recently had to sanitize my site after a hack, I apparently missed some infected files because while making a local backup of all the files on my webspace, my virus protection was quietly quarantining several files containing viruses. So, these malicious files didn't show up in diff viewer, and I didn't notice and remove them on my site.
This is just to point out the need to keep this in mind when sanitizing. Make sure your virus protection alerts you to incoming threats, or check its logs. Maybe this is worth adding to the very helpful sanitizing thread: http://forum.coppermine-gallery.net/index.php/topic,51927.0.html (http://forum.coppermine-gallery.net/index.php/topic,51927.0.html)