Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection. You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Is this statement true? Would all sites be vulnerable to these automated attacks? What if Suhosin is installed, which kills many general attack vectors. The short answer is that it kills all the PoCs, which we saw in the internet and that have been reported, but a dedicated attacker can navigate around Suhosin and still exploit this bug
more here.........http://www.sektioneins.de/en/blog/14-11-06-drupageddon-vs-suhosin.html
Is this statement true? Would all sites be vulnerable to these automated attacks? What if Suhosin is installed, which kills many general attack vectors. The short answer is that it kills all the PoCs, which we saw in the internet and that have been reported, but a dedicated attacker can navigate around Suhosin and still exploit this bug
more here.........http://www.sektioneins.de/en/blog/14-11-06-drupageddon-vs-suhosin.html