These are useful search strings, whether you are searching one file at a time or all files at once:
iframe : Can quickly discover malicious links, which are often in iframes.
src= : Finds occurrences of iframes and JavaScript because they both use this property. The equals sign might be encoded as = or %3D or %3d. Searching for just src would find all of them.
http:// : Finds references to remote websites.
script language= : Finds occurrences of scripts.
unescape : A JavaScript function often found in malicious code.
eval : Another JavaScript function often found in malicious code.
Make sure all instances of src= and http:// refer to files on your site or to external sites you know and trust.
Some common trusted sites that are not a problem are:
* pagead2.googlesyndication.com (if you use AdSense)
* www.google-analytics.com (Google Analytics). However, make sure it is not gooqle-analytics with the second G really being a Q. That is a spoof/malware site, and not ok. Other look-alikes of the google-analytics name are common, so check the spelling carefully.
