I also have a site hosted at CWI which was modifed with the exact same code, July 23rd.
It looked like who ever hacked the site used a script which searched through the site of files with index or login in the name. And then searched for </body> in the text and inserted the above code just above the end body.
I reported the issue to CWI and they told me that there had been a login from a server in Hong Kong.