1- This code will start searching from / if no shell argument passed. You may want to adjust this default directory to the location of your apache directory instead for speed purposes.

#!/usr/bin/env bash
# Identifies instances of the c99Shell PHP trojan within PHP files
FIND_LOC=${1:-/} # Root the find by the a directory provided as argument or default to root
echo "Starting search from $FIND_LOC..."
find $FIND_LOC -type f -iname '*.php' -exec grep -qi 'C99Shell' '{}' \; -print
echo "Complete"
: # clean exit


2-
find /var/www/ -name "*".php -type f -print0 | xargs -0 grep r57 | uniq -c | sort -u | cut -d":" -f1 | awk '{print "rm -rf " $2}' | uniq