On behalf of the APWG Internet Policy Committee, I've prepared a report based on information submitted by victims of web site compromise attacks, where the victims' sites were subsequently used to host phishing pages.
Selected quotes from the press release will give you a sense of what you'll find in the report:
"attackers confidently exploit legitimate websites with the same methods and that they succeed because victims are not implementing recommended best practices, countermeasures and responses."
"The survey results indicate that LAMP - Linux, Apache, MySQL, PHP - remains the most frequently targeted hosting environment. However, closer examination of the responses reveals that attackers most frequently leave PHP shell code (i.e., a backdoor written in the PHP scripting language), phishing kits (web pages or scripts that are used to execute the phishing attack itself), or a mechanism to send email to animate a phishing attack. "
"The majority of victims continue to report that they were unaware that their website had been compromised until an external party notified them."The report can be downloaded here.