Are there any clamav definition repositories that detect things like PHP shell scripts etc that might be uploaded as part of an exploit of something like Joomla? Or are there other tools that scan the filesystem looking for signs of an exploit?

My google attempts have drawn a blank; there's plenty of external tools for trying to find an exploitable hole, but I'm talking about something to run internally to find evidence that a hole has been exploited, which isn't the same thing.

A definition file for clamav seems the most obvious approach but I'm open to suggestions.

Mark