First, I suggest you take steps to isolate your server from the web, because the door that the hacker used to access your server is probably still open.
Next, we need to determine which files have been hacked.
Regarding the index.php file that you shared, it seems fine to me.
The indentation of every line of code indicates that that you are using Moodle <= 2.8.
The presence of the call to "redirect_if_major_upgrade_required()" indicates you are using Moodle >= 2.0.
However, notice that index.php includes config.php. That file, config,php, includes a great number of other files, including all the theme files and Moodle library files. Probably it is one of those secondary files that has been hacked.
The next three files I would check on your Moodle site are as follows:
- config.php
- theme/base/config.php
- theme/YOURTHEME/config.php
Where "YOURTHEME" is the theme that you are using on your Moodle site.
If that search does not reveal anything suspicious, I would try to determine which Moodle files have been recently modified. Depending on what kind of access you have to your server, you may be able to login via SSH and use the Unix "find" command to find recently modified files.
For example, the following Unix command finds all the files modified in the last 30 days:
find /PATH/TO/MOODLE -type f -mtime -30 -ls
Finally, you should take steps to prevent the hacker coming back. Probably this requires removing write access from everything in the folder containing Moodle scripts.