Advisory says to assume all Drupal 7 websites are compromised
If your organization uses Drupal, you might have a serious problem on your hands. On October 15, Drupal urged users to apply an update that fixed a SQL Injection flaw. However, unless that patch was installed within seven hours, Drupal now says it’s best to assume the website was completely compromised.
The SQL Injection vulnerability exists in an API used by Drupal, which is supposed to prevent SQL Injection. It was re-discovered by German security firm SektionEins in September, after a Drupal user hired them to check for vulnerabilities.