To identify potential backdoors, check your files for these PHP functions:
preg_replace (with /e/)
Use the following SSH command to detect any hacked files located within your directories:
find . -type f -name '*.php' | xargs egrep -i "(mail|fsockopen|pfsockopen|stream\_socket\_client|exec|system|passthru|eval|base64_decode) *("
The following command will locate image files with backdoor functions:
find wp-content/uploads -type f -iname '*.jpg' | xargs grep -i php
Lastly, use the command below to locate infected iframes:
find . -type f -name '*.php'| grep -i '<iframe'