Sample text searches for suspicious PHP code

1	grep -Rn "mkdir *(" public_html/

Or

1	grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/