I had something similar happen here but it was not through the actual login. I was able to fix by searching through the source code for the page that is was showing for the specific url's that were coming up and find out where exactly the code had been inserted and then remove it that way. In my case, it had come from one teacher's course.
I am concerned that it appears that someone was able to use the guest account password entry to insert code into the website. If that is the case, we definitely need a Tracker item on this.