I was running 0.4.5 and somehow the hacker was able to upload a file to my server through piwik.
from my host
The original backdoor that you saw upon logging in was located at:
/<web_path>/piwik/lang/kr.php
This file was uploaded using a backdoor located at:
/<web_path>/piwik/libs/json/json.php
Unfortunately I have been unable to determine how the second backdoor was uploaded. I ran a backdoor scan on the DocumentRoot for this domain and it came up empty. In addition I have started a tcpdump on this server which will help us gather much more forensic evidence in case something like this should happen in the future. Since both of these backdoors were uploaded under the piwik directory I was suggest checking to make sure you are running the latest version of their software in case any security vulnerabilities have been patched.