I have a 7.3 board up and running for testing. There are no links to it on any web page yet someone was able to upload a bank phishing page to one of the board sub-directories. The installation specifies that some directories be writable to the world (777). Can I change these without compromising the function of the boards? How else can I protect myself?

The only way I know that someone can do that with the permissions set to 777 is that the server it self allows Anonymous log in to the server to the web site. If you have Anonymous users accessing your folders via FTP or Windows Explorer then you need to change your sites FTP settings to not allow any Anonymous logins to the server.

Yeh, just because a FOLDER is chmodded 777 doesn't mean people can just randomy upload to it...

Likely, some script has been comprimised on your system and they just uploaded their stuff to that directory through the script that they exploited.

Anonymous FTP is not enabled. Ubbthreads 6.5 is installed on the same system. Is there a script in 6.5 that can be compromised to upload stuff. I've found four directories with these phishing pages - two in the 6.5 directory hierarchy, one under the 7.3 directory and one outside these directories but in another directory with 777 permissions. All are owned by user apache. The only scripts are in the 6.5 and 7.3 directories, everything else is static HTML files.

I believe that an early 6.5 build had some security issues; so it could be that; you should at least upgrade to the latest 6.5 build (if not upgrade to UBB.T7)