Cheers for the help guys, we also had the same problem.
I also found the following command showed up a few nastys (find all php files using the eval command).
find . -name “*.php” -exec grep -H “eval(” {} \;
It easy to spot the hacker scripts as they all look like this:
eval($p38d[$GLOBALS[‘y110d20’][21]]);
