Title: Saeed attacker Last modified: August 22, 2016 --- # Saeed attacker * [spikespiegel](https://wordpress.org/support/users/spikespiegel/) * (@spikespiegel) * [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/) * Here is a major problem I believe every wordpress user should be aware of, the Saeed Hack. I searched many therms in Google, and couldn’t find no one relating this problem, on the other hand if you insert on google: * You’ll see that basically 100 websites have been hacked already. * Now here is the funny thing, I got all my scripts upgraded, including wordpress. Three days ago I settle up a ht password on my wordpress admin folder. So I have to use two passwords to login in administration, yet this dude or bot was able to hack into the system, or used a sql injection and changed my site title and tag line. * So: _[ Redacted, you really should not share that here ]_ * WHen I checked [http://sitecheck.sucuri.net/](http://sitecheck.sucuri.net/) * It says I have an outdated version of cPanel and Apache, and my site’s software is outdated. * Web application details: Running cPanel 11.38.2.7: akecheta.com:2082 cPanel version 11.38.2.7 outdated: Upgrade required. Outdated cPanel Found: cPanel 11.38.2.7 Outdated Web Server Apache Found: Apache/2.2.23 * However, I have many other sites hosted in the same reseller plan, and they’re all fine. This particularly an issue with WordPress, I never liked wordpress at all because of the lack of security, but due to a few plugins that I couldn’t find on Joomla, I had to use wordpress. * He didn’t change any password, my htpassword is still the same, when I open cpanel I can see that no file or folder has been modified, actually, the last modification was like 2 months ago and this hacked happened today in this morning. I believe that is a Sql injection. * I don’t know what else should I do. Viewing 5 replies - 1 through 5 (of 5 total) * Moderator [Jan Dembowski](https://wordpress.org/support/users/jdembowski/) * (@jdembowski) * Forum Moderator and Brute Squad * [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/#post-5227322) * Spike? (Love that handle BTW one of my favorite Anime characters) * Please don’t post that attacker info here. It doesn’t help you and only promotes the attacker’s links. If you do need to share that (and you really don’t) then you can post a pastebin.com link if needed. * It’s an often quoted but good list: * You need to start working your way through these resources: [http://codex.wordpress.org/FAQ_My_site_was_hacked](http://codex.wordpress.org/FAQ_My_site_was_hacked) [http://wordpress.org/support/topic/268083#post-1065779](http://wordpress.org/support/topic/268083#post-1065779) [http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/](http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/) [http://ottopress.com/2009/hacked-wordpress-backdoors/](http://ottopress.com/2009/hacked-wordpress-backdoors/) * Anything less will probably result in the hacker walking straight back into your site again. * Additional Resources: [Hardening WordPress](http://codex.wordpress.org/Hardening_WordPress) [http://sitecheck.sucuri.net/scanner/](http://sitecheck.sucuri.net/scanner/) [http://www.unmaskparasites.com/](http://www.unmaskparasites.com/) [http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html](http://blog.sucuri.net/2012/03/wordpress-understanding-its-true-vulnerability.html) * It’s a lot of work but delousing your installation is doable. If the source of the hack is your server and you are not running your own host then you may need to consider new hosting. * Thread Starter [spikespiegel](https://wordpress.org/support/users/spikespiegel/) * (@spikespiegel) * [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/#post-5227326) * Thx mister Dembowski, anyway, whenever someone will search for info on Google, he’ll search for that line. * I’ll take a look at that guide. The funniest thing is that I’ve been looking for suspicious files for about 2 hours, and still haven’t found anything, I even followed the pharma hack guide to disinfection, also couldn’t find anything on my website. It’s like someone just got access to the database table responsible for the title and tag or maybe knows the password. That shouldn’t be my host, all my other sites have been fine for years, they’re all in Joomla. ON the other hand, I’ve even seen a client’s website get hacked just because he forgot to upgrade wordpress for like… 1 month. That seems to be a client side issue (Some spyware here) or a wordpress core issue (Or maybe one of my plugins was abandoned by the developer). * Thread Starter [spikespiegel](https://wordpress.org/support/users/spikespiegel/) * (@spikespiegel) * [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/#post-5227327) * By the way, Cowboy Bebop is my favorite Anime. Talking about characters, there is also Sagara Sousuke, Solid Snake, Drake from Uncharted and Squall Leonhart. * [wjweb](https://wordpress.org/support/users/wjweb/) * (@wjweb) * [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/#post-5227507) * Did you find a solution to this problem already? I have several sites that were hacked by Saeed 210 and unlike previous hacks I’ve been unable to find a solution so far. * I installed Wordfence and it comes up with the result that the site has been hacked, but it unable to replace the files with the original one.. * Please let me know if you found something. * Thread Starter [spikespiegel](https://wordpress.org/support/users/spikespiegel/) * (@spikespiegel) * [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/#post-5227508) * What you mean “it’s unable to replace the files with the original ones”?? You should be able to overwrite any files in your server, if not, that’s a server side problem, contact your host. * First thing I did was to install bulletproof security, then sweet captcha (This one reduced spam in 100%). * After installing bullet proof, you must follow common configuration steps, then the DDOS tutorial provided in the plugin, because it will protect your xmlrpc. php file that is on your root folder. So everytime an attacker accesses the file, he will get an error 303 page. * Also, make sure to install centrora security and quttera scanner. Enable every single option in centrora security firewall. Both centrora and quttera have virus scanners, make good use of them. I highly suggest you to use Sucuri Site Check too. * I’ve been monitoring my website and so far the centrora log always show attackers going to xmlrpc.php, and getting blocked. * Centrora will point you some php extensions that should be disabled, read them carefully and see what you can disable. Also reinstall wordpress. My last step was followed today, I moved my host account to newer server, it uses mysql 5.5.4, and has a newer apache version that I can’t remember. * After doing the steps, you can use Simple Backup plugin to create your site copies. * Ps: I believe in my case it was related to two things: * First the server, I was using apache 2.2.22, and as described here: [http://httpd.apache.org/security/vulnerabilities_22.html](http://httpd.apache.org/security/vulnerabilities_22.html) * There is some vulnerabilities in that version that were fixed in the next ones. * Second, I’m not sure, but my site’s homepage was an HTML5 script, and I believe there was some outdated javascript, or perhaps I’m wrong, anyway, I removed that page just in case. * Tell me if you have any doubt, good luck. Viewing 5 replies - 1 through 5 (of 5 total) The topic ‘Saeed attacker’ is closed to new replies. * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 5 replies * 3 participants * Last reply from: [spikespiegel](https://wordpress.org/support/users/spikespiegel/) * Last activity: [11 years, 9 months ago](https://wordpress.org/support/topic/saeed-attacker-requesting-all-wordpress-users/#post-5227508) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics