xmlrpc.php mysteriously replaced

I started getting complaints from some authors of blogs I manage that MarsEdit (a Mac tool for editing posts) was reporting parsing errors and not able to post messages. We’ve seen this before, so I immediately went to the xmlrpc.php files on the affected blogs and found that, indeed, they had all been replaced with a version “last modified on” 10/4/08. The odd thing is that we had done no updating on that day (or the week before or days since).

The new xmlrpc.php file included a version of line 27 with a call to mysql_escape_string. As in the past, I simply replaced this version of the file with another I have dating from 9/8/08 and all is fine.

But how and why does the xmlrpc.php file change without our intervention? I would think that this is a compromise of our filesystem except that the edit is so innocuous and it happens to the same file across many WordPress installations on our server. Seems like an odd kind of vandalism.

I also have no idea which version of the file WordPress considers “current”. This file has no version number in the text, so I can’t tell which one “should” be present in v.2.6 of WordPress.

Any hints out there? Does anyone know whether xmlrpc.php on WordPress 2.6 is supposed to have mysql_escape_string on line 27? Does anyone have any idea whether WordPress installations can update files like this one “on their own”? Can anyone think of a significance to the 4th day of the month (the same thing seems to have happened for the last few months, always with versions of xmlrpc.php dated on the 4th day of that month)?

I’m stumped!