<?php
function scanDirForBackdoor($dir) {
    $patterns = [
        'eval(',
        'base64_decode(',
        'gzinflate(',
        'str_rot13(',
        'shell_exec(',
        'system(',
        'exec(',
        'passthru(',
        'popen(',
        'proc_open(',
        'preg_replace(',
        'curl_exec(',
        'file_get_contents("http'
    ];
    
    $rii = new RecursiveIteratorIterator(new RecursiveDirectoryIterator($dir));

    foreach ($rii as $file) {
        if ($file->isDir()) continue;
        if (pathinfo($file, PATHINFO_EXTENSION) !== 'php') continue;

        $content = file_get_contents($file->getPathname());
        foreach ($patterns as $p) {
            if (stripos($content, $p) !== false) {
                echo "[!] Suspicious code in: " . $file->getPathname() . " | Pattern: $p\n";
            }
        }
    }
}

scanDirForBackdoor("/var/www/html/ojs");