You can't rely on datetime stamps as the hackers are using backdoor shell scripts that provide them with the ability to "touch" the files with a certain date and therefore make all the files the same datetime or to set them to a specific datetime.
You undoubtedly have a backdoor shell script on your site. This gives the hackers remote control of your site without needing any passwords, or leaving any clues in log files other than the access.log which many people don't look at anyway.
Some strings you can look for in .php files are:
Sorry I can't be more specific, but those are the most common strings we find in the hacker's backdoors.
The typical scenario is that the hackers gain access to a website via stolen FTP password, then place various backdoors on the site to provide them with access even after the FTP password has been changed. They also frequently change file and folder permissions to 777 which are another area very few people check - until after they've been hacked.