There was a vulnerability that was exposed in the code which allowed for remote scripts to be executed. There is a patch available (download and update constants.php), which should prevent attacks. Please also remove the file /music/buycd.php from your server.