MichaelBluejay - 2:22 am on Sep 23, 2012 (gmt 0)
Bingo. Initially I didn't think that .htaccess had been modified, but I just found (and removed) this line:
DirectoryIndex lndex.php index.html index.htm
The file modification date was July 8, 2008.
I found the file in question and sequestered it. (The whole "log" directory, actually.) The directory has a modification date of 9/14/2012, as do the file contents.
Andy's advice to look for files with the same modification date as those associated with the hack was invaluable. I found several more. Then I broadened the search to look at all files changed in the last month, and all .php files, and found some more. I scrubbed them all and then changed my password *again*.
Incidentally, one of the files is filled with code comments about "exploits" and "for your hacking pleasure", etc.
My host helpfully ran their own scan, which finds things like old software, files/folders with bad permissions, etc. I removed an ancient WordPress blog that I haven't used in years based on that report.
By the way, this hack spanned multiple domains. My file structure is /home/user/name/domainname, with several domains under the same username. The hackers had files from one domain loading files from another.
I apologize for my initial insistence that the problem wasn't on my end. I couldn't have been more wrong about that.