Sorry for being a little snarky.
The *HEAD DESK* comment was sincere in that that does nothing for solving the problem and doesn't even treat the symptoms well. What other files are getting updated without your knowing it? Changing the modified time of a file is trivial and if the bad guy can create that file then they can continue to modify existing PHP files.
As Esmi says, there are no known security issues in the current version of WordPress. A more common vector for a compromise is add-on software (Tim Thumb anyone?) or an insecure server.
Getting to the bottom of any compromise involves examining web access log, syslog on your server, looking at files left by process UIDs, etc. and trying to tie it all together. It's a metric ton of work but it's doable. If 7 of your clients are getting this, then identify the commonality outside of the WordPress files (plugins, themes, same server, etc.)
More often than not, it's easier to save and eyeball your data off the server, uninstall everything you do need and install minimum and currently supported versions of Apache, PHP, etc. Then re-import your confirmed sanitized data.
If you are on a shared server, then you may never get to the bottom of it.
Give those links I posted a good look through. They're almost 100% copied from what Esmi has provided in the past.
I'm not being snarky again, If that doesn't help you in de-lousing your WordPress installs, and you've clients being impacted then please consider paid help.