phranque - 1:48 am on Feb 19, 2012 (gmt 0)

the same vulnerability that allowed the clear gif to be inserted into your page also gave the attacker sufficient access to copy all your PHP source files (including your contact form handler script), and your databases This is probably true in the present case, but isn't automatically true.

almost certainly true, but copying the databases wouldn't explain this statement in beavis' OP:

Even more astonishing, I made a small change in one article on my CMS and the change instantly appeared on his site!

i would guess that the database wasn't locked down or the attacker gave himself permission to make external connections to the database.
then he powered up othersite.com with a script that connects to your database server instead of localhost or 127.0.0.1 and before serving the response it edits a few brand and domain names.