Quick one this … so you've got a compromised webserver and you want to check the files on it. Many scanning tools will ignore images, but an image might not always be what it seems! Check them all with this command:
find /path/to/dir -regex ".*\.\(jpg\|png\|gif\)" -exec file {} \; | grep -i -v "image data"
If all is good, you won't get any output. If your server is seriously borked, then you might see things like this …
./wp-content/uploads/2011/01/22.jpg: HTML document, ASCII text
This is a flag that the image is in fact a PHP file. Investigate!
If you get this kind of thing,
./wp-content/uploads/2011/01/221.jpg: Minix filesystem, V2, 46909 zones
its probably a bug in an old version of file, so check your OS version, copy the file to a more recent OS and try again.