Look for eval() , base64_decode() , or str_rot13() functions in functions.php or header files. These are often used to hide backdoors.
.png)