Just in case anyone has come accross this - one of my wordpress installations has been hacked. There was a hacker message on the front page.
The index.php file had been modified, also the wp-login.php file and there was an extra file called "fake.php". I've removed all these and replaced them with backups. All appeared to be good.
ALL the admin passwords had been changed. I logged into phpMy admin and changed them all. I changed my DB user, password, FTP access and the wp-config file, upgraded to the latest version of WP, but the admin passwords STILL get changed every time one of the admins logs in successfully. But ONLY the user logging in has their password changed.
I think I am going to need to do a ground-up re-install unless anyone else has a clue?