A notify system for such worms via FTP has just been implemented in Protector-3.50.
It checks mtime of XOOPS_ROOT_PATH and mtime/inode of XOOPS_ROOT_PATH/index.php
It works like a noisemaker in banks.
Though it cannot protect any manipulation of your site, you can avoid to scattering such worms from your site by the notifying mail.
Of course, the first priority must be "Keeping the client secure from such worm".
And it might be better "Watching sites by each other" than "Watching a site by myself" if we implement an observing system for servers.