It is beginners trick, not advised for administrators.
Lot's of tools are available on Linux to find the malware codes injected on server. But most of them not detect the page with url encoded. Because it's php functionality. Mostly of this happens when developer or administrator not aware problem when we providing 777 permissions to pages on web servers. In these cases simple java-script injection will make server to get down.
We can disable this function, urldecode but unfortunately it's bad idea on shared hosting and most of frameworks using url encode and decode. In this case, we can do some manual work for figure-out codes by following commend.
find . -iname '*php' | xargs grep 'urldecode' -sl
This will list the files that have urldecode. We can check page and remove code.