It's not enough to find a collision. The problem is finding a collision that has a similar
file size, consists of grammatically valid PHP that looks reasonable to a casual human
inspector, and has the same functionality as the old code (modulo backdoor). AFAIK, doing all
that, especially the part about making the result look reasonable to a casual human reader, is
quite hard. All MD5 collisions I've seen so far were very contrived toy examples.