How to spot backdoor addons?

You should look for "RunString", "_G", "http." and all that kind of bullshit before putting anything into your server and getting it infected. Also, you should look very carefully and check sv_ files with more attention to the contains. And, yes, most of the time, the code is obfuscated as fuck.