i've cleaned up this mess for several people in the last year - guys, you're barking up the wrong tree. don't look outside for the vulnerability.
shared hosting environments mean other users on your server have access to your files, IF you have permissions set for them to have read or write access to them.
every wordpress install has folders that are *usually* writable by users other than the owner, like "uploads." also, that folder is accessible from the internet side of things too. this is how they get in.
another user on your shared web host knows that your domain is hosted on that server. they know you're running wordpress. they know the subdirectory that your host creates (usually ~/example.com/ ) and they know the common folder structure for wordpress.
they make a file with a familiar name, like "wp-pass.php" and try to copy it through the filesystem to your uploads directory (double check your permissions - most people make the uploads directory writable by everybody in order to allow the web server user to write to it. this is bad.)
if the copy is successful - then they hit that file via the web side - and bang! they're executing php code on YOUR install now. they can do anything they want.
check the file creator of the wp-pass.php file (or any other suspicious files you find in your writeable directories) i 99.9% guarantee the file owner is not YOU, but rather the other nefarious user on your shared hosting server (or, whomever hacked their shell account).
then take a screenshot of that file listing and send it to your hosting provider - explaining to them that another user is writing files to your directories and hacking your websites.
oh, and fix your file and folder permissions. :)