lucy24 - 6:26 am on Jan 13, 2013 (gmt 0)
I hope your site is not your livelihood, because the safest first step is to shut it down completely, delete everything, change all passwords, and don't put anything back until you have figured out how to prevent it from happening again. (Which, ahem, someone else will explain. You are not the first person to have this happen.)
Meanwhile, get hold of your logs-- if you're on shared hosting they live in a completely different area and should be unaffected-- and study them for clues. Look especially for things like unexpected POST requests and weird query strings. Don't bother too much about IPs and UAs. You don't care what your Russian robot looks like; you just want him to stay the #$# out, no matter what disguise he is wearing.