$ find /site/* -type f -name "*.php" |xargs grep "eval"
$ find /site/* -type f -name "*.php" |xargs grep "base64_decode"
$ find /site/* -type f -name "*.php" |xargs grep "@$"
$ find /www/ -name "*.php" |xargs egrep 'assert|phpspy|c99sh|milw0rm|eval|\(gunerpress|\(base64_decoolcode|spider_bc|shell_exec|passthru|\(\$\_\POST\[|eval \(str_rot13|\.chr\(|\$\{\"\_P|eval\(\$\_R|file_put_contents\(\.\*\$\_|base64_decode'
$ find ./ -mtime 0 -name "*.php"
$ vim /etc/audit/audit.rules
-a exclude,always -F msgtype=CONFIG_CHANGE
-a exit,always -F arch=b64 -F uid=48 -S execve -k webshell