IDBTE4M BOT V87 is a PHP shell that has a rarely good mailer function which is hard to detect because it uses random [email protected] for sending SPAM:

source code:
when accessed publically the IDBTE4M BOT V87 shell gives a blank page, but with a POST request containing the random password, the shell looks like this:
After the wp site was hacked, an email was sent to [email protected] and [email protected] containing the script and random password to access it.
subject:
Linux srvX.XXXXXXXXXX.com 3.10.0-962.3.2.lve1.5.44.3.el7.x86_64 #1 SMP Mon Feb 22 04:35:33 EST 2021 x86_64
body:
IDBTE4M BOT V87 98.126.23.18 http://XXXX.XXXXXXXXXXXXXXXXXXX.com/3index.php?f=/NmRtJOUjAdutReQj/scRjKUhleBpzmTyO.txt /home/XXXXXXXXXX/XXXX.XXXXXXXXXXXXXXXXXXX.co V-9ND7F>AI;q!ztUhbxFU*AXfx_EDQCnl-l2hLCkDDa>NMOq;?$+B!rh|!&_
For removing this IDBTE4M BOT V87 malware and further increasing the security of your WordPress website follow this guide:
Here is a list of all the files that were found by ImunifyAV on this cpanel account: https://github.com/stefanpejcic/wordpress-malware/tree/master/07-02-2022
Make sure not to leave any active processes and cronjobs for the cpanel user:

