Any Drupal 7 website not patched or updated to Drupal 7.32 within seven hours of the announcement of a highly critical SQL injection vulnerability – CVE-2014-3704 – should be considered compromised, according to a public service announcement posted to the Drupal website on Wednesday.
Automated attacks came quickly, the post indicates, explaining some attackers applied the patch to ensure they are the only person in control of the site. Applying the patch or updating to Drupal 7.32 now does not remove backdoors, which could exist in the database, code, files directory and other locations.
“Attackers may have copied all data out of your site and could use it maliciously,” according to the post. “There may be no trace of the attack.”
The Drupal security team recommends restoring to a backup from prior to Oct. 15, or rebuilding from scratch.