Sorry, I forgot to mention "maldet" scans which will find (and destroy/quarantine) malware but I've found that it needs to be installed by the host (apparently, it's very powerful so the host was reluctant to allow clients to do the install and setup the CRON to run it (on a daily basis). However, if you have a good host, they will do that for you and you'll have malware on your server identified in time to stem the tidal flow of SPAM.
On an account-by-account basis, I also run a CRON script (PHP) which takes hashes of my ("infectable") files and stores them in a database. This script will then e-mail me on a daily basis that no files were changed or the list of files added, altered or deleted. I wrote an article for SitePoint with the code (but download the zip file for the latest code and article updates) and check in the Web Security board for more on similar topics.