lammert - 2:57 am on Oct 1, 2010 (gmt 0)

These lines shouldn't be too difficult to recognize. They all start with something like

eval(base64_decode('some string...

The more sophisticated versions use zip compression:

eval(stripslashes(gzinflate(base64_decode('some string ...

I had them a few months ago in a WordPress installation of a non-profit organization I host for. The lines were there right from the beginning--even before the site went live--and I therefore don't think they were injected, but part of a free theme they found somewhere. I didn't analyze it fully, but it seemed that part of the functionality of the theme was coming from an external server and that server delivered the malicious payload. The download code from that remote server was base64 encoded, to make it difficult to identify for the average website builder.

Rather than cleaning up the mess, I just disabled the use of WordPress, removed all files and pushed the user in the direction of another CMS.