It appears that you are the victim of a cross site scripting attack. Specifically a "SQL injection attack". The hacker just types in a block of code then hits a form submit button to put it into your database. When the database next executes the page, it loads the code and you're done.
Check your database for the following (minus the quotes):
"script"
"update"
"insert"
Most forums and many other sites that rely on databases use a bit of code to parse code from submitted input.
You might also check to see that any pages that allow users to upload html tags and apply any available security updates that will sanitize user input fields prior to writing them to the DB.
Here are some resources that might prove helpful:
SQL Injection Attacks by Example
SQL Injection - Use a SQL Injection Scanner to Fix It
hackademix.net » Mass Attack FAQ
How To: Protect From SQL Injection in ASP.NET
Here's a good read that has tons of resource links:
Sql Injection virus problem.
Good Luck!