Didn’t upgrade WordPress fast enough. Someone installed some code to serve up landing pages for Canadian penis enlargement cures (no I didn’t make that up) and other spam. All cleaned up and fixed now of course, but I just wanted to say:
grep canada /var/log/nginx/iapf_access.log | grep -c penis
Ugh, what a PITA. They must of back doored about 50 files. Hopefully it’s all cleaned now.