Not sure if this will help or not, but company next door to us got hit with a mass brute force attack on several websites. It was an iframe inf.cn The simple fix was to re-upload last working file and overwrite the infected file AND change all passwords for ftp and admin login.
This seemed to work for them so far. Hope it helps.
