Drupal Core - Highly Critical - Public Service announcement - PSA-2014-003 | Drupal.org
▻https://www.drupal.org/PSA-2014-003
If you find that your site is already patched but you didn’t do it, that can be a symptom that the site was compromised - some attacks have applied the patch as a way to guarantee they are the only attacker in control of the site.
BBC News - Millions of websites hit by Drupal hack attack
▻http://www.bbc.com/news/technology-29846539
Drupal should no longer rely on users to apply patches, said Mr Stockley.
“Many site owners will never have received the announcement and many that did will have been asleep,” he said. “What Drupal badly needs but doesn’t have is an automatic updater that rolls out security updates by default.”