The folks at AlienVault did a great writeup on the recent PHP.net malware.
What’s most interesting about it is the roundabout way the malicious payload eventually gets deployed. Some JavaScript was added to a static file that added an iframe, that sent the browser to a page that determined if it was running vulnerable Flash or Java. That page redirected the browser to the appropriate site to infect the host.
This kind of stuff is more than just adding some pharma links to a blog. It’s remarkable.