Exploited scripts are uploading crap to /tmp

Aside from hardening /tmp what is the best way to find exploited .phps ?