From the SANS Newsbites Digest:
http://www.sans.org/newsletters/newsbites/xvi/87#304
Drupal Team Warns Users to Assume Sites are Compromised (October 29 & 30, 2014)
The Drupal security team says that users should assume that all Drupal 7 websites have been compromised unless they were patched within seven hours of the October 15, 11pm UTC announcement of a vulnerability that could be exploited through an SQL injection attack. Automated attacks were launched within hours of the flaw's disclosure. While updating to the most recent version, 7.32, does fix the vulnerability, websites that were compromised prior to the update will remain compromised. The team recommends that sites be restored with backups created before October 15.