Over the last few months we have seen an increasing amount of tickets about Javascript / iFrames being inserted at the end of code in web roots which is causing sites to be blocked by Google.
In almost all cases the files have been altered via FTP using legitimate FTP usernames and passwords which have been harvested from end users PCs. This looks to be the work of a variant of the Gumblar botnet ( http://en.wikipedia.org/wiki/Gumblar ).
If your customer reports that they have had code inserted onto any of their pages please ensure that any PC which stores their FTP credentials is virus checked.