I ran into this site that is keeping a list of the sites hosting the scripts used to attack your site. The user tries to get your site to run a script located on one of these sites and once it does he can take over your site.
The hacking is explained here http://www.whyron.com/http.htm
List is here http://www.whyron.com/http0.htm
You should add the domains from this list to the hackers.txt file in MMAUTOBAN to users attempting to inject these scripts on your server.