SQL injection embeded .js file to execute CF hack

["ajdove" <webforumsuser@xxxxxxxxxxxxxx>]

:shocked;
 I am a programmer sent to investigate suspicious activity at a client's web 
application.  I cannot attach a file in case of infection potential.  The 
Coldfusion code is open to SQL injection attack which is how we believe the 
Apache web server became infected.  Upon investigation we found javascript 
files which had been written with CFML code programatically scripted to fit 
within a .js javascript file and write and read data from the server.

 Has ANYONE seen this type of attack before?  I cannot disclose the client or 
specific data as we are under a NDA (Non-Disclosure Agreement), however, I need 
help of other Coldfusion programmers to fully understand this attack.  Has 
anyone seen CFML code programmed into a .js javascript file and run by calling 
the .js javascript file before?

 We have found japanese or chinese language within the code and within files on 
the server.  The client states they have NOT installed any language packs or 
anything referencing other languages than English. There have been japanese 
characters found on the database server.  There are hundreds of .js and .xml 
files on the server which reference japanese.  Furthermore, we have found many 
XML files on the server,but the client does not use .xml so these .xml files 
would then be foreign and potentially programatically scripted by the server 
launching code to write these files under the un-knowing eyes of the client.

 So we need to understand the limits or potential threats:
 1. Can CFML scripting be embedded into a .js javascript file
 2. If database parameters are not locked, what are the possible attacks 
available to SQL injection

 Any help would be appreciated.
 Thank you in advance.
 Alex Dove