These usually get in through old CMS software that was never updated. If you find these in an account it's usually safe to say that person either had a really weak password for their CMS (wordpress, joomla, etc)., or they were running an old version of one of those softwares with bad/old components.
A couple things that help these to not get in, and also help cripple their functionality:
Use a good mod_security ruleset. I recommend either atomicorp ("gotroot") or Trustwave's managed rules.
Disable these functions in php.ini:
disable_functions = shell_exec,show_source,system,passthru,exec,phpinfo,popen,proc_open,allow_url_fopen,ini_set
(some hackers may place their own php.ini to bypass this, but many shells will not work well with shell_exec and passthru disabled.)
