An article by Emil Protalinski of ZDNet talks about a recent survey done against approximately 600 website owners and administrators who had sites compromised.
Here is a summary of the findings:
- 90% didn't notice any strange activity, despite the fact their sites were being abused to send spam, host phishing pages, or distribute malware
- 63% of site owners don't even know how they were hacked
- 26% had not yet figured out how to resolve the problem at the time they completed the survey
- 20% of those attacks were due to out of date software
- Approximately 50% only discovered the attack when they attempted to visit their own site and received a browser or search engine warning
The article also has a nice flow chart of how/why attacks occur. Here is a link to the full article.
This is why you have someone test your site, and tell you where you are vulnerable instead of a hacker doing it maliciously.
While a Web Penetration Test does not guarantee your site is 100% safe, it certainly closes holes and makes you aware of where you are potentially vulnerable.
Another piece of advise: Always monitor and keep backups of your logs!!