You’ll need to figure out how the attackers gained access to your site. It was probably via some vector like FTP.
Once a server has been compromise like that, you MUST do a full rebuild of the server from the ground up. You have no way of knowing what/if the attackers installed on the server. Most of the time, they will install something on the server that will allow them access even if you fix the site’s code, and change passwords.
Yes, it is very possible for an attacker to install something on the server. If they have the ability to upload, and execute arbitrary PHP code, then they can install anything that they want.
The only way to safely deal with this is to rebuild the server from scratch, and ensure that you use a known clean version of your website. You should then ensure that the only way to log into the server is a secure SSH connection with a private/public key and no passwords. Also, setup something like fail2ban to ensure that brute force attacks are not viable.
Not from CakePHP itself. Hard to say anything more concrete without a full security audit of your code.
Like I’ve said. Once a server has been compromised, the only solution is a full rebuild. You have no way of knowing what else has been installed on the server, and chances are very good that they’ve installed a hard to detect backdoor.