[eluser]Johan André[/eluser]
If you looked over the overall security of your server make sure you checked these:
1. Never let people upload files without checking the mimetype. Reject everything except images for example.
2. Be sure to use Active Record for your queries, or do a "manual" clean of the _POST and _GET-array.
3. Move the system out of the webroot.
4. Set the right permissions on things. While developing some people sets the directory permissions WAY to kind.
5. Don't use an account with root-permissions (www or mysql) in your code.
In your case it sounds like someone got access to your server, since it's very hard to change the index.php file in a normal installation of CI.