It's Drupalgeddon2. There's some shoddy code in the software running this site–but not the parts I wrote! There's a bug that allows unauthenticated attackers to execute arbitrary code via a publicly accessible URL. That's about as bad of a bug as you can have. I haven't bothered studying all the details, but this article explains the gist of the situation. The vulnerability exists going all the way back to Drupal 6. That means it has been lurking in the source code for about ten years. So much for static analysis and pen testing, huh? I did a quick security audit of SiO and updated the software running it as soon as I heard. I wish I'd known an hour or two sooner, but I think we'll be OK. We survived Drupalgedon; we'll survive this. Probably. If not, there are plenty of backups. I think.
Updating my website wasn't what I had in mind for tonight. Me updating your website for you is out of the question. Please don't ask. I've had more than enough of playing with computers for one day. I'm going to do something else now. I don't know what, yet. But it will be something not involving computers. Definitely. Maybe.