These commands can be used to find files with matching code that could be possible hacked files.
find . -type f -name '*.php' | xargs grep -l "eval" --color or find . -type f -name '*.php' | xargs grep -l "eval *(" --color or find . -type f -name '*.php' | xargs grep -l "eval *("\\" --color find . -type f -name '*.php' | xargs grep -l "hex2bin" --color Another php function that you could look for as well is str_rot13 find . -type f -name '*.php' | xargs grep -l "preg_replace *("\\" --color find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color find . -type f -name '*.php' | xargs grep -l "eval *(str_rot13 *(base64_decode *(" --color //the following find echos the line found in the search find . -name "*.php" -exec grep -H "*search content here*" {} ; find . -name "*.php" -exec grep -H "eval(" {} ; find . -name "*.php" -exec grep -H "str_replace *(" {} ; //These are a couple that may return more false positives but it is sometimes better to get them then not. _REQUEST is often used but it is also often used in regular programming so this one will give you a lot of false positives. The display errors 0 is something they use to try to hide the errors so not too many people would use this. find . -name "*.php" -exec grep -H "_REQUEST" {} ; find . -name "*.php" -exec grep -H "ini_set("display_errors", *0);" {} ;