Hi all,
In my case the server compromission turned out to have nothing to do with Wordpress. It was a Joomla 1.5.x outdated template (beez) used to upload a very nasty PHP shell!
That php shell injected the js that points to
http://abtt.tv/modules/mod_servises/ua.js, so if you see the same check your system for the presence of this shell.
I found 2 copy of the same shell, with 2 different names, one is mysite/templates/beez/958b.php and the other myothersite/templates/beez/28bc.php it's a modification of a known php backdoor shell. If someone is interested I'll post the shell code.