Scan a Wordpress install for injected code. (And no I don't run Wordpress... this is for a friend)

check.php

<?php $start = microtime();

// increase memory limit
ini_set('memory_limit', '128M');

// no time limit
set_time_limit(0);

$affected_files = array();

/**
 * Scan Recursive
 *
 * Recursively scan a folder
 *
 * @param   string  $str    The path to scan
 * @return  bool
 */
function _scan_recursive($str, &$affected_files)
{
    if (is_file($str) and strpos($str, '.php') !== false) {
        _check_file($str, &$affected_files);
    } elseif (is_dir($str)) {
        $scan = glob(rtrim($str,'/').'/*');

        foreach ($scan as $path) {
            _scan_recursive($path, &$affected_files);
        }
    }
}

/**
 * File check
 *
 * parse a file for malicious code
 *
 * @param   string  $str    The file to scan
 * @return  bool
 */
function _check_file($file, &$affected_files)
{
    $fh = fopen($file, 'r');
    $text = fread($fh, filesize($file));
    fclose($fh);

    /*
        Set the strings you are looking for here
    */
    foreach (array('eval', 'base64') as $needle) {
        if (strpos($text, $needle) !== false) {
            array_push($affected_files, $file);
        }
    }
}

_scan_recursive('./', &$affected_files);

if ($affected_files) {
    echo implode("\r\n", $affected_files);

    // mail('hello@example.com', 
    //     'Infected files found on '.$_SERVER['SERVER_NAME'], 
    //     implode("\r\n", $affected_files));
}
echo (microtime() - $start);