I was hacked through CB somehow on two different websites. Happened on the same day. I noticed it because I was looking in my error and visitor files in Cpanel. It would be nice to know exactly how they got in but I did lock up the photo upload scripts and directories as some logs indicated there was use of that.
A new directory had been created in the actions directory with a php file called karihanpolicija, and before that a temporary numbered php file had existed and then been deleted or maybe renamed after uploading.
Origins show an IP number beginning with 77.28 that had direct write access to my actions directory, and the other hack from 141.101 which was using the photo uploader php file.
I just noticed that my site is unable to do uploads right now. I do not know if that is related or not. The mass uploader works but not user uploads. I guess I will try replace some complete directories from the backups.
Keep an eye on your log files friends and block IPs that annoy you.