See the screenshot below
Gumblar.cn exploit is usually injected right before the <body> tag and when the script is executed (every time someone visits the infected web page), another script from “gumblar . cn/rss/” is silently loaded and executed.
Incidentally, 95% of the sites infected by this exploit uses PHP (bangaloretelecom too).
Hat tip: Khaitan