I think, you have been a victin of hacking through SQL injection. You need to take immediate action.
SQL injection is one of the most common mode of hacking attack and most dangerous one too. Though, you can minimize the risk by taking appropriate measures.
In most cases,
1. you have not sanitized user-input in common pages, like FAQ, contact us.
2. Or you have not sanitized the query-string in the page.
What an attacker does is append an SQL query to read all table names and column name and insert some links in those columns.
To check exactly what has happened, check IIS log of the server. There you will find some strange URLs.
As immediate measure, See, if you can block suspsected IP (that you may get from analyzing IIS logs). You may write a query to do a full index search for such suspected word to see if you are infected.
You will need to do some reading to stop.
SQL Injection Attacks and Some Tips on How to Prevent Them
Hope that helps.