These usually get in through old CMS software that was never updated. If you find these in an account it's usually safe to say that person either had a really weak password for their CMS (wordpress, joomla, etc)., or they were running an old version of one of those softwares with bad/old components.
A couple things that help these to not get in, and also help cripple their functionality:
Use a good mod_security ruleset. I recommend either atomicorp ("gotroot") or Trustwave's managed rules.
For server security, I would like to suggest, use CageFS. According to CloudLinux, CageFS “is a virtualized file system and a set of tools to contain each user in its own ‘cage’. Each customer will have its own fully functional CageFS, with all the system files, tools, etc”.