Quite often we're seeing iframes and other malscripts injected as a result of a virus on a PC with FTP access to the infected website.
The virus works by stealing the FTP login credentials from the PC, especially if the PC is using Filezilla which stores all FTP credentials in a plain text file. The virus sends the FTP credentials to a server which then infects whatever websites it has access to.
The virus also works as a keylogger and as a sniffer. FTP transmits all data, including username and password in plain text. Quite easy for the virus to "see" the username, password and FTP address, steal it and send it to "their" server.
So, just cleaning the file and updating the CMS software, etc. won't necessarily keep the website clean. Changing FTP passwords won't either because the virus will just steal it again. We've seen this over and over again.
You have get rid of Filezilla, if that's what you're using (Unmaskparasites has a great article on this issue:
http://blog.unmaskparasites.com/2009/09/23/10-ftp-clients-malware-steals-credentials-from/ and use FTP software that encrypts the stored usernames and passwords. In this instance, even changing from FTP to SFTP or FTPS won't help as quite often the hacker's server is logging in using valid credentials stolen from the plain text file on the PC.
The hackers also like to install backdoors so when you clean and remove the virus that steals FTP passwords, the hackers can still infect the website.
Often times we've seen code that contains: eval(base64_decode in .php file. It's usually found at the top or the very bottom of the .php file. Often times this code is used to remotely inject malscripts into websites. Other times we're seeing a variety of Perl files used to reinfect websites.
Just thought you'd like to know...