If you don't know how you got infected in the first place, then my guess would be the resurrection is coming from you getting hit by the same vulnerability scanner that hit you the first time round - if this is the case, following @scrollup's advice to compare file timestamps to web traffic should find you the vulnerable script, as well as giving you some good IPs to block from your site.

In my experience, at least when targeting Apache, page-modifying scripts will target a very specific subset of the folders on your machine: those that they can find in your /etc/httpd/conf/httpd.conf folder. I had some other web folders defined in included files, but the script that searched for the folders to inject was clearly only interested in grepping the folders from the one file.

So, see if there's anything significantly different in your Apache config between those sites that were impacted, and those that were not. It may give you a good approach to protect most of your sites from it in future, while leaving one "canary" or "honeypot" site that you can monitor for recurrences.