There’s a nasty Drupal security issue that, well, this is how bad it is:
Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE–2014–005 – Drupal core – SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
If you’re running a Drupal 7 based website, you need to read this now, and take this seriously.