It looks more like they know your FTP or SiteWorx passwords then, unless it is some kind of form where they can submit comments or similar. You could use this code to stop them (change the variable if necessary):
$comment = str_replace("<iframe", "", $comment);
Yeah, its probably some kind of “injection” code. I think that refers more to SQL injection and getting data out of a database, but i think this follows the same idea. Any big text feild entries on a from must be check for this kind of thing.