I just got a notice from my host that the tp/geoip.inc file had been attacked and the base 64 injection on them so I'd suggest taking a close look. I've been unable to run the full clean and lock procedure up until now so that explains why mine happened, unsure about your situation.