One of the biggest pains in my life is the recent plague of phpShells scripts all over the Net.  The phpShells scripts allow for three main features:

1. file browsing (including permissions) of the server executing the code
2. file installation or deployment on the server executing the code
3. file execution (using the exec() call in PHP) on the server executing the code

Finding these scripts can be slightly difficult if the server already has a mix of random open source and commercial PHP applications on it.  Some PHP applications permit remote upgrade and execution, so they typically look like they are phpShell scripts.  If it were up to me, these PHP applications would be complete removed and never used, but most allow for ease of deployment so they are very favorable for webmasters and customers who don't have a lot of technical resources at their disposal.  I'll go into detail another time describing some of my techniques in finding these nasty things. 

What kind of damage do the scripts do?  The main problem that I have found is the remote execution of code.  Since the code is typically executed by a non-privileged user (apache, httpd, nobody), then no major damage to the server can happen.  However, many scripts and applications that either permit back-doors or are used for attacking remote computers.  Business owners typically find trends of increased bandwidth when there are these types of backdoor applications installed.  Server administrators typically find increased loads at certain times in the day which can in-turn cause performance problems to applications running on the server.