lexipixel - 12:18 am on May 25, 2011 (gmt 0)
base64 encoded junk
Just what I was thinking. I recently cleaned out a shared hosting site where <?php eval(base64_decode(... statements had been injected into WordPress .PHP files, (also phpBB and OsCommerce php files on the same server).
The exploit was triple hidden. The base64 code would create CSS code that hid a DIV that contained more PHP that read from "key" files hidden in an image directory. The key files contained more base 64 encoded strings which expanded to keyword spam links at run time. It was fairly genius -- except for the fact that the eval() ran when the WordPress dashboard was opened and there was a slight "flicker" on the dashboard tipping off the owner that something wasn't right....