On it at the moment. It seems that user wmap exploited an smf bug to upload PHP scripts as photos. This is most likely as a result of us upgrading to a dedicated server with our hosting provider, and hence making it possible to execute non-smf related scripts.
We are working on resolving this issue asap.
Meanwhile, If anybody gets a similar prompt please notify us.