The above code snippet means that malicious code will only be served if the User-Agent is Internet Explorer. The geekier amongst you will recognise the base64 string as being the beginning of:
Sophos now detects and disinfects this modified code as Troj/PHPShll-B.
So, what's happened is that somehow malicious code has managed to inject itself into the PHP code used on some websites running WordPress, meaning that if you visit them when running Internet Explorer you could be exposing yourself to a malware attack.
What isn't clear is exactly how the malicious code managed to embed itself on the website, although it was most probably via compromised FTP credentials.
If you run a site which uses WordPress you would be wise to ensure that your passwords are chosen carefully (not dictionary words, and not easy to guess) and that you are not using the same credentials on any other websites. If you think it's possible that your password details may have been stolen - or if you use the same passwords elsewhere on the internet - change them immediately.
Furthermore, you should be regularly auditing the code on your site to ensure that there have not been any unauthorised changes.
Finally, always ensure that your website software is up-to-date and fully patched.
This hack appears to be widespread and website owners need to be vigilant.
Reference : Naked Security News
Computer Forensic, Internet Investigation and IT Consultant