Looking at a Joomla site with a lurg, used a few find commands to try quickly weed out the mucky code, ran these and used my eyes:
find path/to/directory -type f -name "*.php" -mtime 5 -print0
find path/to/directory -type f -name "*.php" -print0|xargs -0 grep "$GLOBALS[" |cut -d":" -f1 |uniq
find path/to/directory -type f -name "*.php" -print0| xargs -0 grep "base64_decode"|cut -d":" -f1 |uniq
find path/to/directory -type f -name "*.php" -print0| xargs -0 grep "eval"|cut -d":" -f1 |uniq
Probably a much better way like, just because files contain base64 or globals doesn’t mean they’re bad!
Erm, just to get a quick list to look through I used
find path/to/directory -type f -name "*.php" -print0 | xargs -0 grep "base64_decode" |cut -d':' -f1 |uniq