h1. Drupal security hole - October 2014

https://www.drupal.org/PSA-2014-003

http://grahamcluley.com/2014/10/assume-unpatched-websites-running-drupal-7-compromised/

https://news.ycombinator.com/item?id=8528605

Some excerpts from the above links:

q.
Date: 2014-October-29
Security risk: 25/25 ( Highly Critical)

Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.

Simply updating to Drupal 7.32 will not remove backdoors.  If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site. 

...

What a unholy mess.

In a nutshell, if your site wasn’t protected within a few hours of Drupal’s announcement on October 15th, you need to restore it from an old backup or rebuild it from the ground up.

...