[JoachimSchipper]

I'd try to get older backups from the host and diff them; hopefully someone has at least one clean backup that you can try bringing up to date.

Otherwise, you can try grep'ing for known bad stuff (base64, if the attackers like encoding their stuff in that), but it's very hard to recover if the attacker is good. Fortunately, most of them are not; but take a look at, say, the Obfuscated C contest for some "inspiration".

Oh, and you may want to figure out how the hack happened, too. I'm not too familiar with software for this kind of things, but I seem to recall that RATS (https://www.fortify.com/ssa-elements/threat-intelligence/rat... ?) has a PHP mode.