I see there is something called tracker.php redirected from a malicious IP.

I downloaded my archives from the server and see no references to that thing, so either my server is injecting it, or something is injecting it while the page is being transfered, does any of these make sense?