This is the command I use looking for backdoors or webshells and it works all the time.
#!/bin/sh grep -RPn "(file_get_contents|file|eval|base64_decode|base64_encode| \ gzdecode|gzdeflate|gzuncompress|gzcompress|readgzfile|zlib_decode| \ zlib_encode|gzfile|gzget|gz|passthru|iframe|strrev|r0nin|m0rtix| \ upl0ad|r57shell|c99shell|shellbot|phpshell|void\.ru|phpremoteview| \ directmail|bash_history|multiviews|cwings|vandal|bitchx|eggdrop| \ guardservices|psybnc|dalnet|undernet|vulnscan|spymeta|raslan58| \ Webshell|str_rot13|FilesMan|FilesTools|WebShell|ifrm|bckdrprm| \ hackmeplz|wrgggthhd|WSOsetcookie|Hmei7|InboxMassMailer|HackTeam| \ Hackeado|passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir| \ fopen|fclose|readfile|php_uname|eval|tcpflood|udpflood|edoced_46esab) \ *\(" $1 > /root/web_logs/$2