PHP rootkits are a possible attack vector that server administrators need to take into consideration (source: Developer Creates Rootkit That Hides in PHP Server Modules). To detect and recover from such attacks:
- Keep a list of the PHP module hashes (SHA256 or better) after installing PHP to be able to detect whether or not any of your modules are malicious. Then add a cron job that hashes all files in the extension directory and compares them to the current hashes.
- To clean up a compromised system, after the forensic investigation has been completed, build a new, clean environment and migrate data over from a trusted backup.