find /var/www/site/ -newer /var/www/site/index.php -type f | head -50
find /var/www/site/ -name "*.php" | xargs grep -l "base64_decode\|eval\|gzinflate"
apt install clamav -y && freshclam && clamscan -r --infected /var/www/site/Restoring from a clean backup is more reliable than manual cleanup. One missed infected file will cause re-infection within days.