Seems like a very simple web shell, maybe with code borrowed from WSO
Downloaded via a fake PHP interactive spamming tool
that my WordPress honey pot captured years ago. Either the original downloader of 823491.php
gave away or sold the URL or bottom feeders look for "dorks" which indicate that search engines
have found some other bottom feeder's spamming tool out in the open.
The Internet Protocol address 139.195.26.25 is ultimately registered to:
descr: PT. First Media,Tbk
descr: Broadband Internet Service
descr: Citra Graha Building 4th Floor
descr: Jl. Gatot Subroto Kav 35-36
descr: Jakarta - Indonesia
Which makes sense. The code is generously commented with the phrase "IndoXploit", and copyrighted by "http://indoxploit.or.id", which I don't think is valid.
The original IndoXploit got downloaded on 2017-11-27. I got a second one on 2018-04-28, from a different IP address. I got yet another variant on 2018-11-12. This last variant claims to have done a lot of "manual coding, but it appears that amounts to erasing all references to "IndoXploit".