The script tag was in the source view. My PostView.ascx is NOT modified in any way.
BTW, I did find where the script tag is located. The entirety of it is in the "SettingValue" column in the be_Profiles table, where the "UserName" is "filip" (my username), and the "SettingName" is "displayname".
Before, I didn't realize that the script tag was there because SSMS was not displaying the entire contents of the column in results view. I was able to copy directly from the cell in SSMS, and this is what I got:
// Edit: Removed script since it exposed a flaw.
I'm still unclear on how the attackers were able to modify my "displayname" in the database. I'm guessing there is some kind of flaw which allows a remote user to update the database (or at least the be_Profile table) without being logged in. In fact,
I'm pretty sure that they can't update the Users table, as it appears that they're attempting to create a User w/ the script that they injected.
I'm guessing that if I actually logged in my website as an admin, their script would be successful in creating the user. However, since I accessed my site as a guest, I got a prompt which requested my username/password.
BTW, I'm running BE 3.0 atm.