Following the remote code execution vulnerability discovered in all versions of Drupal released prior to 28th March 2018, and patched in Drupal 7.58 and Drupal 8.5.1, may have been hacked if they have not been updated to Drupal 7.58 (or 8.5.1) by Wednesday, 11th April 2018, may have been hacked after the Drupal security team became aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability.
The advisory issued by the Drupal security team in full:
If you have not updated your site as described in SA-CORE-2018-002 you should assume your site has been targeted and follow directions for remediation as described below.
The security team is now aware of automated attacks attempting to compromise Drupal 7 and 8 websites using the vulnerability reported in SA-CORE-2018-002. Due to this, the security team is increasing the security risk score of that issue to 24/25
Sites not patched by Wednesday, 2018-04-11 may be compromised. This is the date when evidence emerged of automated attack attempts. It is possible targeted attacks occurred before that.
Simply updating Drupal will not remove backdoors or fix compromised sites.
If you find that your site is already patched, but you didn’t do it, that can be a symptom that the site was compromised. Some attacks in the past have applied the patch as a way to guarantee that only that attacker is in control of the site.
Signs of a hack
Attackers may have created access points for themselves (sometimes called “backdoors”) in the database, code, files directory and other locations.
Removing a compromised website’s backdoors is difficult because it is very difficult to be certain all backdoors have been found.
If you did not patch, you should restore from a backup. While recovery without restoring from backup may be possible, this is not advised because backdoors can be extremely difficult to find. The recommendation is to restore from backup or rebuild from scratch.