A few handy commands to cut to the chase and find the crap spammers/skiddies have added to a WP install:
Find files containing text recursively:
grep -ri "string to search" .
A good use of this is to search for the below. It can return false positives, but finds a function commonly used to obsfucate code:
grep -ri "base64_decode" .
Diff two installations. If you have a clean copy of WP, you can compare it to a compromised version to find the differences. Here I am excluding the error_log file, and sending the output to diff.txt for review:
diff --exclude "*error_log*" -r /path/to/wp /path/to/other/wp > diff.txt
Find php files (and other filetypes that should not be present in the uploads directory. This is typically one if the first places things are placed:
find /wp-content/uploads -name "*.php" -type f
Grep the DB. Sometimes things get hidden in the database in an effort to hide malware. Considering that a WordPress database is tiny in the grand scheme of things, a simple way to quickly review what is in the database is to use mysqldump, phpmyadmin or whatever tool you would like to export the entire database to SQL. Then you can review the contents easily. Be on the lookout for base64 encoded strings, they are a good giveaway.
Find recently modified PHP files:
find . -name \*.php -mtime -2