After some searching I discovered that the header.php had been hacked with some malware. It added scripts beginning at line 24. I found a clean copy of header.php to see how it should look, and carefully edited out the javascript code. Once I saved it the site came back.