We have found that in several logs besides the affected sites, BUT, not found it in the logs for all the affected sites - which had made us a little iffy on whether the two things were connected, or whether it was two sets of people attempting to do unpleasant things to our server. We've already taken some steps to block that SQL anyway, but with that decode, that makes things a lot clearer.

Thank you very, very much!