Nothing has been found on our servers at this time. We currently have an iframe scan in process on 67 of our ecommerce servers - so far, no results other than this one incident.
The only thing I can comment on at the moment is that if this was a normal iFrame attack then it could have been caused by a keylogger or something of that nature. There's a mini article on the iframe incidents located here:
http://forums.cpanel.net/showthread.php?t=78595
The only other information I can contribute is that in the case of this one user the iframe linked to "live-counter.net" - again something that Emerson had mentioned previously. A scan of our servers for that combination in ANY user files has not shown to be present.
EDIT: I was just informed that the URL I posted goes to a forum that requires you to log in to view the posts. I have a shortened version of the post at our KB posted here:
http://billing.handsonwebhosting.com/knowledgebase.php?action=displayarticle&catid=11&i d=220