I found a bunch of files in the js directory. The file that google warned me is called "js2.php". It just creates an iframe for js.php There are a few other files that contain data. The server is telling me the files were created by the user www-data. I'm not really sure where to go from here, I renamed "js2.php". I am trying to track what is referencing "js2.php". The malware uses two urls and one of them I found a blog post about on blog.dynamoo.com mentioning it as a dynamic dns being used by a Neutrino exploit kit where "malicious code is being appended to legitimate .js files on those site".