If you didn’t patch your site quickly, you should assume it was compromised, Drupal says.
Users of the Drupal content management system platform got a rude awakening this week: According to Drupal, automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 — Drupal core — SQL injection. And here’s the kicker –- users should proceed with the assumption that every Drupal 7 website was compromised unless it was updated before 11:00 p.m. UTC on Oct. 15.
The vulnerability in question is a bug in a database abstraction API that allows an attacker to send specially crafted requests resulting in arbitrary SQL execution. Depending on the content of the requests, this can lead to privilege escalation, arbitrary PHP execution, or other attacks as well, according to Drupal.