Thanks for the replies! I looked at the .htaccess file and removed the first block, everything before < # BEGIN WordPress >. It seems that solved the issue.
Still unusual that none of several malware scanners picked up anything!
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^file\/[a-zA-Z0-9]+\/[0-9]+.html$ file [L]
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteRule ^([a-zA-Z0-9]+)-(.*)-([0-9]+)\.cgi$ file.php?$1=$2-$3 [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [L]
</IfModule>
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
