Hi David,
Are you sure the .php files are being removed by a malicious actor? Are there log entries or other traces that indicate an exposure to an exploit? To remove files from a system would leave traces of
activity, even remotely and subsequent tampering to cover it up is usually clumsily executed and easily identified.
It would depend also on your specific php version but you could install suhosin to log any out of band activity. If you think a malicious actor is deleting files, check also your database links for insertion attacks or other indications of attempted tampering. I suspect an in house error such as a bad day for someone, or a rogue cron job, perhaps, or if you are exposed to the ext4 corruption bug on Linux, look there.
Without more information, I always assume a more local problem first, as opposed to intrusion etc.
--
rachel polanskis
IT Consulting, UNIX & Macintosh
Greater Western Sydney
<
gr...@exemail.com.au>