I did discover the access point... Apparently WordPress and ZenPhoto both use TinyMCE as an editor... and there was an insecure ajax file manager plugin released with TinyMCE which allowed the hackers to gain access to the file directory.
Of course, once they can upload one file, they can get into the server and do anything.
Obviously, the server/site is listed in some hacker database now as well, since the server logs still show idiots trying to access the same spot (despite the fact that I completely deleted ZenPhoto, so the directory they are trying to hit no longer even exists)
Of course, each time they do attempt it, it gives me another IP address to report and ban from the server.