Spotted, and forked from notes_general_20200810.txt. 

20200811 -JWS
This file looks related.  It showed up tailing the mega log overnight, before a reboot.

   /home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php


   jonwhi5 elizabethbenedict elizabethbenedict.com [10/Aug/2020:20:23:50 -0700] 185.246.65.41 "POST /xmlrpc.php HTTP/1.1" 200 "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0" "/home/elizabethbenedict/brainwashed.com/elizabethbenedict/xmlrpc.php" 127649
   ^C
   [ps94726]$
   Broadcast message from root@ps94726
           (unknown) at 8:36 ...

   The system is going down for reboot NOW!
   Control-Alt-Delete pressed

   ========================================================================================

   brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$ ^C
   brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$ date
   Tue Aug 11 09:41:00 PDT 2020
   brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$ df -h
   Filesystem      Size  Used Avail Use% Mounted on
   /dev/sdb1       3.6T  2.9T  772G  79% /
   none            128M  760K  128M   1% /tmp
   brainwashed@ps94726:~/media.brainwashed.com/elizabethbenedict$

=====
   Did this, 20200811 202400
  
   su elizabethbenedict
   cd /home/elizabethbenedict/brainwashed.com/elizabethbenedict
   wget https://jwsmythe.com/tools/exploit_logger/exploit_logger.php.txt
   mv xmlrpc.php xmlrpc.20200811.php
   mv exploit_logger.php.txt xmlrpc.php
   vi xmlrpc.php
   # Fix real_page
   
   # Temp phpinfo to get a variable
   vi phpinfo.php
   rm phpinfo.php