Via lwn.net, I came across https://www.drupal.org/PSA-2014-003 and my heart
sank:
"""
Automated attacks began compromising Drupal 7 websites that were not
patched or updated to Drupal 7.32 within hours of the announcement of
SA-CORE-2014-005
- <https://www.drupal.org/SA-CORE-2014-005>Drupal
<https://www.drupal.org/SA-CORE-2014-005> core - SQL injection
<https://www.drupal.org/SA-CORE-2014-005>. You should proceed under the
assumption that every Drupal 7 website was compromised unless updated or
patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
"""
That's about as bad as it gets, folks.
|