[Yver]

The attacker obfuscated "base64_decode" part but not "eval". It's not the first time I see base64_decode() being more the focus of attention than eval, I don't know where it originates from.

Also, if cron infected the PHP files I wonder what infected the crontab. :\

[Shish2k]

I'd expect the old insecure joomla install was the original source of the infection, the cron was just there to automatically re-infect it without the attacker needing to run the same remote exploit repeatedly

[eponeponepon]

Presumably PHP itself, no? Assuming it was running with a few too many permissions, or even under root...

[lmz]

It's the web user's own crontab judging by the lack of username in the file.