Domains used in this attack:
(and many others)
WordPress and Joomla sites.
This malware is generally hidden inside the database (wp-content table). Sign up here to get it clean up: Signup
Malware dump (sample of malware):