Is your site fully patched? You may check at system -> configuration -> Design -> footer -> Miscellaneous HTML for any suspicious script.
Please refer following post https://community.magento.com/t5/Magento-1-x-Technical-Issues/HELP-site-hacked/m-p/19304#M1501 it has links to Magento best practices and other precautions which can help you keep your site secured.
Yep, fully patched. And behind a firewall. And the admin login was obfuscated and IP restricted.
And "System -> Configuration -> Design -> Header -> Miscellaneous HTML" was exactly where the script was placed.
It is better to restrict the admin url access by IP address (If you have static IP) or use two factor authentication.
I've found a similar code in php placed in the mage.php file. I think this happened shortly after I hired a "reputable" company to do some work for me on Magento. I'm not sure if its related or them or not, but it seems the file was accessed via ftp.