How to prevent a PHP script being executed when it is being read in as an $_post element?
Simple, don't:
<?php
eval($_POST['unvalidated_user_data']);
?>
(in fact don't eval at all, if you need eval you're usually doing something wrong)
Having RTFA, I interpreted it slightly differently. I think the supplied PHP code is uploaded to another, previously compromised server and it is used to send out phishing emails.
The unwary user then enters their login details on the compromised server (or if they are using an email client that displays HTML forms(!), within the email) the data is then sent to the compromised server which forwards it on to the script kiddie. The user is then redirected to the real login page along with their POST data so when they arrive there they are automatically logged in, none the wiser...
"If I do not want others to quote me, I do not speak." -- Phil Wayne