Rogi has pointed out this thread on the WordPress support forums which makes mention of a few instances where  multiple sites were hit by the same IP as per their access logs, at exactly the same time that their header files were changed.

Might be worth blocking the offending IP range 87.118.120.x until this gets sorted.
However, if the offender changes IP, or shares his script with the world this will be not much more than a false sense of security…

If you choose to filter the IP block, you can do so in your .htaccess file by adding the following lines to the end of the file:

order allow,deny
deny from 87.118.120.
allow from all

Update: This site has some good information regarding this exploit, and mentions:

… It appears that the exploit is fixed in versions of WordPress beyond 2.6.5, but that the WP Super Cache plug-in continues to allow the exploit somehow.

Also of note,  photocritic.org recommends the following for hardening your WordPress installs :

If you’re affected by this, fix the issue, and then read Hardening WordPress and Did your WordPress Site get Hacked – both of which give a lot of starting points for research into how you can stop this happening again.

Going to take a look at this myself….