Hi bob3160,
There are programs also for Windows to detect this. Another elegant method could be this.
The final conclusion is that the best way to find injected code was to compare a suspicious document with a known-good document. Of course, the problem is finding a known-good doc to compare to but, with a bit of thought, you could come up with an additional insight -- an attacker couldn't inject a payload into a doc downloaded over SSL. So, I think the following would work nicely:
* wget
http://www.microsoft.com/default.aspx (possibly not the _best_ test page, but it'll do for our example)
* wget
https://www.microsoft.com/default.aspx * Diff the two documents and look for obviously injected code.
Unfortunately, the two copies of default.aspx, in this example, will have minor differences but nothing so obvious as an <iframe> pointing somewhere else.
polonus