The exploit seems to be consistently 28,278 bytes in size, a PHP file named with either two people's named connected by an underscore or an English word connected to a person's name with an underscore. I've found it in root files, and in an images folder in a wiki site and in an uploads folder in a Wordpress site, and in a trunk folder and images folder for survey software I was testing.
If you know how to grep, you can grep for _8b7b as it appears to consistently use that as a variable.
No clue what it's for as it's encrypted. Change your WebID password and your FTP user password to be on the safe side.
You can comment here or at the Dreamwidth crosspost. comments at Dreamwidth.