Use Google Dorks, GitHub code search, or custom crawlers to find exposed instances:

The attacker uses Google Dorks or automated scanners with the query intitle:index.of "eval-stdin.php" .

The keyword is not random gibberish. It is a structured reconnaissance query used to locate one of the most straightforward Remote Code Execution vectors in PHP history.