All the sites are hijacked subdomains of legitimate domains, a peculiar mix of pornography and Dora the Explorer. Domains in use are:
To give credit to the owners of dora-explorer.co.uk, they have spotted that something is wrong, although it looks like the nameservers of their webhost (eu1.downtownhost.com and eu2.downtownhost.com) are improperly secured.
A full list of all the subdomains I can find is here [pastebin] but I would recommend applying a temporary block to these domains until the webhost secures them, although the most effective way of securing your network is to permablock 220.127.116.11.
UPDATE: It definitely appears that downtownhost.com have not secured their nameservers as a few more customer sites are being abused in this way. It appears that the attackers are going through downtownhost.com's customers in alphabetical order. For example, the following subdomain are in use:
Additional sites to block:
UPDATE 2: it looks like downtownhost.com have fixed the problem. These recently-flagged domains can now be considered to be safe.