We have been playing with various DNN user profile fields since this morning, and cannot reproduce this issue on a default DNN 4.8.2 deployment. We have attempted to pass various HTML tags in to user profile fields, all of them are stripped off or are not allowed to persist in the database. Obviously if the core DNN modules are susceptible to SQL injections, this is bad news. However this would not be the first time we have seen poor quality 3rd party modules causing chaos on our servers.

We are going to setup a virtual machine with Visual Studio and attach debugger to the DNN work process to step through some of the validation code, I’ll post updates if we find anything.

My DNN site appears to be comprimised as well.

Here is the IIS startup failure:

[formatException: Input string was not in a correct format.]
   Microsoft.VisualBasic.CompilerServices.DoubleType.Parse(String Value, NumberformatInfo Numberformat) +193
   Microsoft.VisualBasic.CompilerServices.IntegerType.FromString(String Value) +96

[InvalidCastException: Cast from string "2<script src=http://www.banner82" to type 'Integer' is not valid.]
   Microsoft.VisualBasic.CompilerServices.IntegerType.FromString(String Value) +211
   Microsoft.VisualBasic.CompilerServices.IntegerType.FromObject(Object Value) +750
   DotNetNuke.Services.Scheduling.SchedulingProvider.get_SchedulerMode() +70
   DotNetNuke.Common.Global.StartScheduler() +7
   DotNetNuke.Common.Global.Application_Start(Object Sender, EventArgs E) +336

I am running an older verison of DNN. I will post a list of installed components just as soon as I find the offending entries.

The offending entries in your case are in the HostSettings table.