It's not gumblar but it does happen the same way as gumblar and martuz - compromised FTP credentials.
One of the PCs that has FTP access to that site is infected. I know, everyone has an anti-virus program, but many AV companies were getting hit with so many new variants that they started using generic signatures. (Check out Commtouch's new report)
This opened the door to new viruses that were clever enough to evade detection.
These new virus strains work in one of three ways; they know where the username and passwords are stored in files for popular FTP programs, they use keyboard loggers and they also sniff FTP traffic. Since FTP transmits all data, including username and passwords, in plain text, sniffing for login credentials in an FTP stream is quite easy.
The "pepsi" and "cocacola" iframes are the new gumblar and martuz infections.
All PCs with FTP access to that site have to be scanned and cleaned with a new anti-virus program - one different from what's installed now because obviously the virus knows how to evade detection of the current AV.
Then, and only then, can the FTP passwords be changed and then have the sites files all scanned or just replaced with a known good back-up.
You should probably start a new thread for this. Your customer's website has been infected.
These types of infections (3 character domain, then the TLD of either: ru, hk, in or tw, followed by :8080 and some string) have usually been the result of compromised FTP credentials.
Your customer should have everyone with FTP access to their (including you if you have FTP access to their site) install a new anti-virus program and scan and clean every PC with FTP access to that site.
The reason is, that the virus that steals the FTP credentials, already knows how to evade detection of the currently installed anti-virus program so you need to use something different. If you don't do this, your customer's site will just get hacked again and again.
After cleaning all PCs with FTP access, you must change all FTP passwords.
Then you can either restore the site with a known, clean version, or download the entire site to a newly cleaned PC, scan all the files for the above line (it will appear in iframe tags) and remove the malscript.
These steps must be followed in the order listed. Otherwise your customer will just get hacked again.