A common keyword that people use to find hidden injections on web sites is base64_decode. Youoften see injections that look like eval ( base64_decode or eval ( gzinflate ( base64_decode beingused by the attackers.
So most web security tools have some signatures to look for it (specially on WordPress).
Well, the attackers do know about it as well and we are starting to see some interesting variations for it. Forexample, instead of injecting base64_decode, they are injecting as a variable:
$g___g_='base'.(32*2).'_de'.'code';
And instead of calling out base64_decode directly, they are using base + 32*2 + decode. A simple trick that allows them to bypass many security filters.