After some investigation with help from a couple of very useful people (thanks, chays, Ryan, and Donncha), we've determined that the files I found on my server were placed there as a result of the WordPress 2.3.2 vulnerability, even though my site had been updated to 2.3.3.
To make a long story short, if your site was affected by the 2.3.2 vulnerability, you must change your admin passwords. While the attackers can't get the actual password, they can continue to login as admin ever after you upgrade to 2.3.3. That's because the cookie they received when exploiting the hole in 2.3.2 will still work in 2.3.3 -- unless you change your password.
In everything I read about the 2.3.2 exploit, I didn't see anything about the passwords being exposed, so I didn't change it when I upgraded to 2.3.3. Lesson learned...