There is currently some sort of injection attack against WordPress sites that is injected code into the site's .js files. Not so unusual.. except that the payload site in the file changes every half hour or so.
A sample of the code can be seen here [pastebin], it looks similar to this (click to enlarge):
The site mentioned in the IFRAME is the one that keeps changing, so presumably there is either something running on the compromised WordPress site, or there is some other mechanism for the bad guys to update the details. The URLs I have seen recently are as follows:
All these subdomains are hijacked from legitimate domains using AFRAID.ORG nameservers, and are hosted on 188.8.131.52 (Digital Ocean, Netherlands). These then pass the victim onto another domain in the format
which is hosted on 184.108.40.206 (Linode, UK). The URL structure indicates that this might be the Nuclear Exploit Kit, although it has been hardened against analysis.
I can't detect all the sites on 220.127.116.11, but a list of the ones I have observed so far can be found here [pastebin] and those on 18.104.22.168 can be found here. But blocking the following IPs may give you better protection:
Update 2014-09-12 0830 UTC: overnight a whole set of other malicious subdomains (hijacked again from AFRAID.ORG users) were active, using the same IPs to spread malware. The domains change every 30 to 60 minutes or so.