# Find all Apache-owned PHP files 
find /var/www -user apache -type f -name '*.php' > suspicious_files.txt

# Find all non-binary files owned by Apache that are not named .php but contain PHP parser tags
find /var/www -user apache -type f -not -name '*.php' | xargs egrep -ilI "(<\?php|<\?=|<\? *(?!(xml)))" > suspicious_files2.txt

# Find all files containing PHP parser tags in global tmp folder
egrep -ilIr "(<\?php|<\?=|<\? *(?!(xml)))" /tmp > suspicious_files3.txt

# You can inspect all the PHP files for certain strings to find potentially dodgy code. Yes, they often contain the word hack!
cat suspicious_files.txt suspicious_files2.txt suspicious_files3.txt > suspicious_files_all.txt
grep -il 'hack' $(cat suspicious_files_all.txt)

# Search for a few potentially dodgy function calls at once
egrep -il '(eval *\(|base64_decode *\(|gzinflate *\(|str_rot13 *\(|hex2bin *\()' $(cat suspicious_files_all.txt)

# Remove the "l" option to view the matched lines in the file.
grep -i 'hack' --color path/to/file.php