I don't have .PHP in use.
My log processing program separates unknown bots from known bots who I haven't banned (such as google, yahoo, picsearch, etc)
and from legitimate traffic based on characteristics.
From this I found several recent .PHP hack attacks from all over.
Inspired by various posters I've since created the directories the hack attacks tried to find (various creative variations on php progs and others)
then took large meaningless files and renamed them main.php.
While I've banned the original ranges they came from,
if they repeat from another server, they'll get a mouthful of fur to choke on.
to quote a current movie,
off with their heads, screamed the red queen!