Good news: Wasn't my fault.
Bad news: A Wordpress instance on same server was compromised. Which is common, every linux hack I've seen in the last year had been a WordPress compromise. Usually crap plugins, which is most of them. Once the guy got in, he seeded html injection mines everywhere.
The Ugly: I half cleaned APS, but I never trust 'cleaning'. Gonna nuke it from orbit, only way to be sure. The DB does look fine, though I'll be forcing a password change because again, overkill is kinda my thing. Plus we haven't done it to date, so folks might be using passwords compromised by any of the megacorp compromises of the last few years.
While we're at it, might be time to jump to SMF 2.x. 1.1.x is still maintained and looks like it will be for a while.
On the plus side, we're up to the latest version of 1.1.21.