Check to see if there is any php files being edited/changed during the past 7 days.
find . -type f -name '*.php' -mtime -7
Check these words for possible hack attempts
v3c6e0b8a
eval
base64_decode
gzinflate
str_rot13
find . -type f -name '*.php' | xargs grep -l "v3c6e0b8a" --color find . -type f -name '*.php' | xargs grep -l "eval *(" --color find . -type f -name '*.php' | xargs grep -l "base64_decode *(" --color find . -type f -name '*.php' | xargs grep -l "gzinflate *(" --color
If you remove the -l option from grep, it will show the text matched in the file. I like to take this a step further and look for the above commands combined together which is very common.
The blank space followed by a * means zero or more spaces.