It seems that the problem was a vulnerability in wordpress 2.1.1, the advice if you have had a similar attack is to do the following:
Upgrade to the latest stable release (currently 2.3)
Check your logs for access to theme.php or feed.php with query strings of ix= or iz=
Report the IP addresses of those using these hacks to their ISP’s
