I concur, we'were attacked, but they didn't get through. This is a classic sql injection. It is a 64-bit encoded string that executes Microsoft SQL server script. They append their own string to every character field in your database.
We were hit by almost identical attack 2 years ago, when we were unprepared. But the script is "lazy" enough that it'll just append everywhere...which leads me to believe they are there for collateral damage.
You'd need a database scan script to look through all character fields if your DB is large enough.