All the WP sites belonging to a particular shell user on my VPS server had the same problem yesterday or today (not sure). Another user on the same linux instance had no problem with its WP site. All sites use the same WP version.
Here is a git diff and status of what it looks like for one site in particular:
https://gist.github.com/4526116
It seems to add the same eval line at the beginning of some theme and plugin files, and some core WP files also.
I have reset the shell password of the attacked user. I’m still looking at what could have caused this.
