Despite the great effors in this thread (it solved my initial inotify troubles), using inotify to monitor malware isn't very usefull on bigger installations.
We have about 500 websites per server, and I found it to be impossible to use inotify to watch that many files. If seems /proc/sys/fs/inotify/max_user_watches has an upper limit, so when you set that to an insane limit it is ignored.
From what I found on Google max_user_watches is a regular int, so max_user_watches is limited to MAX_INT. There are plans to change this to a long, but from what I found that is not yet implemented in recent kernels.