In case this helps anyone:
Our admin found an entry point in the templates folder: admin.php
He removed it, verified the folder permissions, and emptied the javascript file that was injected.
He traced the injection IP to 118.253.10.255
We sent an email to abuse.szx@2118.com.cn, which is where that IP traced to, and then did the Google Adwords abuse report.