Meanwhile I'm pretty sure it's the MailPoet vulnerability… see
http://wordpress.org/support/topic/changed-headers-in-all-php-files?replies=24
and
http://blog.sucuri.net/2014/07/remote-file-upload-vulnerability-on-mailpoet-wysija-newsletters.html
Did any of your hacked sites have MailPoet installed? Or… since you're on a shared account, has your host found a site on the same server that has MailPoet installed?