Recently the Drupal Security Team has seen a trend of attacks utilizing a site mis-configuration. This issue only affects sites that allow file uploads by non-trusted or anonymous visitors, and stores those uploads in a public file system.

https://www.drupal.org/psa-2016-003