I've been puzzling over how they are getting in - their attack isn't obvious from any of the server logs. But I did discover some interesting activity that seems to happen at about the time of the intrusion, indicating that someone is interested in finding a copy of XMLRPC available on my machine.
POST /nucleus/xmlrpc/server.php
GET //nucleus/xmlrpc/server.php
GET /nucleus//nucleus/xmlrpc/server.php
GET /nucleus/nucleus//nucleus/xmlrpc/server.php HTTP/1.1
GET //xmlrpc/server.php HTTP/1.1
GET /nucleus//xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogi%20...//xmlrpc/server.php
GET /nucleus/nucleus/xmlrpc/server.php
GET /xmlrpc/server.php
GET /nucleus/xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogid=1/xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogi%20.../xmlrpc/server.php
GET /nucleus/index.php?catid=3&blogid%20.../xmlrpc/server.php
GET /nucleus/index.php?catid=10&blogid=1/xmlrpc/server.php
GET /nucleus/index.php?catid=3&blogid=1/xmlrpc/server.php
GET /nucleus/index.php?catid=3&blogid=1/xmlrpc/server.php
wikipedia has an interesting write-up which describes xml-rpc as a precursor to SOAP. In any case, it appears that I've had a interpretive server available on my website since I installed Nucleus. There is also a discussion about the XML-RPC vunerability here.
On further research, xml-rpc is used by blogging software to allow for commenting and other blog activities. That would explain why it is included with nucleus, which is what I use to run this blog. I've also noticed miscreants searching for the serendipity blog versions - see the following:
69.57.190.234 - GET /nucleus/serendipity_xmlrpc.php
69.57.190.234 -GET /serendipity_xmlrpc.php
Since then, I've removed xml-rpc from my website. If I don't repost on this topic, then that probably fixed the problem.