This is the command I use looking for backdoors or webshells and it works all the time.

#!/bin/sh

grep -RPn "(file_get_contents|file|eval|base64_decode|base64_encode| \
gzdecode|gzdeflate|gzuncompress|gzcompress|readgzfile|zlib_decode| \
zlib_encode|gzfile|gzget|gz|passthru|iframe|strrev|r0nin|m0rtix| \
upl0ad|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview| \
directmail|bash_history|multiviews|cwings|vandal|bitchx|eggdrop| \
guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58| \
Webshell|str_rot13|FilesMan|FilesTools|WebShell|ifrm|bckdrprm| \
hackmeplz|wrgggthhd|WSOsetcookie|Hmei7|InboxMassMailer|HackTeam| \
Hackeado|passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir| \
fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) \
*\(" $1 > /root/web_logs/$2