PHP.net Compromise - Tracking Changes
I won’t rehash the details of the compromise (follow the link for that), but the important piece for me was this:
While it is fantastic to successfully block attacks, everyone gets compromised at some point, which is why I believe it is critical to develop the capability to rapidly detect, respond to, and contain those compromises. Finding out you’re compromised from a search company (Google) and third parties is not ideal.
I like to learn from incidents and a lesson from this incident that would aid in detecting the compromise quickly, would be to track and review all changes to website files or database entries.