If you’re running a version of Zen Cart prior to 1.3.9, you must must must apply the known critical patches for you rZen Cart version. I came across a site just this weekend that had the earliest version of this hack I had ever seen. Going to Admin->Extras->Record Companies showed this in the right hand sidebar:

Pressing the edit button on this shows that it’s not an image at all, but rather a PHP file called “own.php”:

This was done 6/25/09, and the announcement of the vulnerability was made 06/19/09.
The best way to prevent this from happening to you is to upgrade to the latest version of Zen Cart!
It’s very important to stay on top of Zen Cart Security Announcements. Follow that link and then click on the link that says “Click here to subscribe to these announcements.”
And while you’re at it, subscribe to That Software Guy’s Zen Cart Newsletter. I nag people to stay on top of things like this!