http://blog.sucuri.net/2014/10/drupal-sql-injection-attempts...
In there you can see the type of backdoors being added (generally fake users with admin-level privileges).