So, the site was indeed hacked, which is presumably where those redirects came from. The hack consisted of a fake admin user and a number of modified or added php files. I’ve removed the fake user and manually searched the files to delete them. I’ll be keeping an eye on my logs and the user lists to make sure it doesn’t come back.