I'm running WordPress on IIS7 on one of my servers. For some reason, a hacker is able to change the read/write permissions on all of the files, and then inject a script tag into the top line of the index.php file.
Where should I start looking in order to figure out how they're overwriting the files?
First up, upgrade to the latest version of wordpress. Then disable all plugins. That'll keep the buggers at bay while you do a bit more forensics on the machine.
Look through your access logs looking for requests around the time of the mtimes of the files in question that are either POSTs, or GETs with funny-looking query parameters. Note the URLs that are being requested, and whether they're associated with a plugin or the core code, which will help narrow down the attack vector. You can then re-enable plugins that aren't related to the problem (after again updating them to the latest version to minimise risk).
From there, it all depends on what you found previously and how much skill you have. You could play honeypot and try to get more info on what the attackers are up to, but I'm guessing you've probably got an uphill battle on that one from your apparent experience level. General advice is just to keep up to date on patches, watch the wordpress announcements for security updates, and pray you don't get hit by a zero-day.