Automated attacks began compromising Drupal 7 websites that were not patched or updated to Drupal 7.32 within hours of the announcement of SA-CORE-2014-005 - Drupal core - SQL injection.
You should proceed under the assumption that every Drupal 7 website was compromised unless updated or patched before Oct 15th, 11pm UTC, that is 7 hours after the announcement.
Simply updating to Drupal 7.32 will not remove backdoors.
NOTE: It is strongly advised to change all the passwords for the application instances.
If you have backup created before Oct 15th, 11pm UTC:
Restore backup, go to Customer Control Panel(CCP), click More Services > Backups and restore backup.
Upgrade all Drupal application instances to the version 7.32. In POA it can be performed by the following steps:
a. Import the new APS application version into POA, if you do not already have it.
b. Upgarde all instanses of Drupal application to version 7.32 using Bulk Application Upgrades.
Note: In case if upgrade of particular application instance is not an option it is also possible to apply the following patch to Drupal's
database.incfile to fix the vulnerability.
If you have no backup:
Follow the steps that are described in the "Recovery" section of the following Drupal site.