*If you administer a Drupal website or know anyone who does, please
make sure they see this:*
Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003https://www.drupal.org/PSA-2014-003
The short version is; if a Drupal website was not patched within 7
hours of the announcement of Dupal-core-SA-2014-005 (aka Drupageddon)
on 16 October (NZ time), it probably has backdoors, and data should be
assumed to be compromised.
The only safe and certain recovery is to get a new server and restore
from backups from before that date.
via NZOSS mailing list