Drupal sites had “hours” to patch before attacks started