Turns out I had accidentally left a folder world-writable on my shared host and another user's account had dropped a shell php file into it, and that infected the rest of my php files.Had a bit of fun dissecting the malware after I had cleaned it up, though. The shell lets the attacker run arbitrary shell / php commands as well a connect to and query mysql, and the base64-encoded block of php that was inserted into all my PHP files checks the user-agent for MSIE, and then modifies the output buffer to inject a <script> tag after the <body> tag that links to a file that infects MSIE users.