[eluser]Pascal Kriete[/eluser]
Have you informed your hosting provider of these events? They may be able to help determine what happened.
The changes you describe don't sound malicious, so the first thing I would is talk to everyone who has write access for this file.
However if you think someone did this with malicious intent, there are some basic steps you can follow.
Firstly, I would highly suggest following Damian's advice in changing passwords.
Secondly, make sure that the webserver does not have write permissions for the file - it only needs to read it.
Then go through you old scripts, if you have any, and assess if they can be upgraded (old forum or blogging software, etc). Don't leave unused software in the webroot.
Lastly, I would do some basic due diligence on the security of your CI app. There are no known exploits of this type in any past versions of the framwork, but that does not make your own code immune.
Let us know what you find out, please.