@psionstorm. Gotta start your forensics somewhere. Get back your site and roadblock visitors to an under maintenance banner because the hack will come back and you don't want to be a carrier (or have google or other sites decide to block access to you)
I can't find the door either. Clean site and clean DB and the attack reoccured this morning. I don't get it. I have the usual hardening as mentioned in those "harden your site" suggestions.
Funny thing about the siteurl though is that it looks like splash overrun from a neighboring SQL variable... like the injection did not go as planned, which is why the site breaks. I mean, who puts HTML in the siteurl dbase var? It screwed up everything so it obviously served no purpose for the attacker.
At this point, I hired a security service that is familiar with wordpress and they scrubbed all files and the dbase but did not find any backdoor. Apart from two things, the service largely agreed that the site was well hardened.
1) I do not have an SSL https protected login
2) I do not use .htaccess to password protect the /wp-admin area. Which is on purpose, as how else do users use my forum or comments section if I require some global master password.
Network Solutions swears they are fantastic and nothing is wrong with the server itself. In fact if you mention wordpress suddenly ANYTHING is not their fault. Even if ping isn't working.
So I dunno. We are studying logs now and we play the wait game. Gotta find the door.