Basically hackers uploading the hacking script under the server insecure partition, so that hacking script easily executed server side and user can’t understand where hacking script is actually.To secure the server make sure that partition not having execution permission.Once in every week monitor the following partition and remove the files which is seems to be hacking file.
/tmp
/dev/shm
/usr/local/apache/proxy
/usr/local/flash