You could also try installing snoopy, which logs all commands executed by users to auth.log. Then look for unusual commands executed by user "www-data" if you suspect insecure PHP scripts etc.
Cheers, Richard -- __ _ |_) /| Richard Atterer | GnuPG key: | \/¯| http://atterer.net | 0x888354F7 ¯ '` ¯
