This days I am dealing with some infected files in my sites. I have seen thet this bot is inserting two iframes in files containing in their name “index”,”default” or “home”. On this blog the files infected was /index.php, /wp-admin/index.php, /wp-admin/index-extra.php, wp-includes/default-filters.php and /wp-content/themes/../index.php . All this files were containing the two iframes pointing to the two .cn sites. Looks to be a vulnerability on the server as far as all sites hosted at the same IP were modified.
So the fastest method to repair is replacing the infected files containing the malicious code inside with some clean files from default installation or open with an editor and clean manually. After it, has to be secured the website by adding a .htaccess file with the rules to block the malicious visitors and of course install some useful plugins as firewall and file monitor.