WordPress.org

Forums

[resolved] Why is my site on another domain? Is it hacked? (32 posts)

  1. Jesper
    Member
    Posted 4 years ago #

    Since two days I'm getting referals from a turkish site. So I checked the site out. It seems to be loading my theme/site?

    This is the turkish site:
    http://sekerziyafe.blogcu.com/

    This is my site:
    http://nijmegeneet.nl/

    What the hell is going on? Any ideas. Thanks!

  2. Samuel B
    moderator
    Posted 4 years ago #

    I see the same theme. Isn't it possible they use the same theme?
    I don't see the same content. Do you?

  3. Jesper
    Member
    Posted 4 years ago #

    Thanks for your reply.
    No it is not possible that they use exactely the same theme. Because all the background images are mine. Also the favicon is mine. But I don't see the same content either. But I'm receiving referral traffic from this site. And my site is found with Turkisch keywords, wich have no relations to my content.

  4. Jesper
    Member
    Posted 4 years ago #

    I just tried the following:
    I deleted my themes custom background images. Now the Turkisch site is effected by this, because all their background images are lost. So they must have some connection with our server.

  5. Samuel B
    moderator
    Posted 4 years ago #

    really not much we can do here if they have ripped you off
    here is the registrar info for the domain
    http://www.geektools.com/whois.php
    just input blogcu.com and all the contact info will come up

  6. Samuel B
    moderator
    Posted 4 years ago #

    wait - I see you are on wordpress.com
    the turkish site appears to be a similar site to wordpress.com
    anyway report this here and you will likely get some quick help
    http://en.support.wordpress.com/

  7. Jesper
    Member
    Posted 4 years ago #

    Samuel,

    My site is not on wordpress.com, but it's self hosted!

    I've changed my theme-name and now the turkish site is without a theme:

    http://sekerziyafe.blogcu.com/

    But still there is a connection because When I load the Turkish site I see in my statusbar in firefox that it is also loading my site:

    http://nijmegeneet.nl

    So they must have acces to my server or embedded some code somewhere in my files?????

    What to do?

  8. Samuel B
    moderator
    Posted 4 years ago #

    sorry - looking at your profile link I thought you were on wordpress.com

    I would suggest contacting your host about this

  9. Jesper
    Member
    Posted 4 years ago #

    I contacted my host and they think my site is hacked. They say I should restore my files. But where to start in this case. Start with plugins, themefiles, upload files? or WordPress core files? Any sugestions? Where is most likely to get infected?

  10. Samuel B
    moderator
    Posted 4 years ago #

  11. Jesper
    Member
    Posted 4 years ago #

    Thanks,I'll check!
    I found, using fire bug, several URL's in the resources from my site on the Turkish site. Several themes and plugin CSS-es are used and/or have a referal. For example:

    Antwoordheadersbron bekijken
    Date	Sun, 17 Oct 2010 13:13:28 GMT
    Server	Apache
    X-Pingback	http://nijmegeneet.nl/xmlrpc.php
    Expires	Wed, 11 Jan 1984 05:00:00 GMT
    Last-Modified	Sun, 17 Oct 2010 13:13:29 GMT
    Cache-Control	no-cache, must-revalidate, max-age=0
    Pragma	no-cache
    Keep-Alive	timeout=10, max=50
    Connection	Keep-Alive
    Transfer-Encoding	chunked
    Content-Type	text/html; charset=UTF-8
    Verzoekheadersbron bekijken
    Host	nijmegeneet.nl
    User-Agent	Mozilla/5.0 (Windows; U; Windows NT 6.1; nl; rv:1.9.2.10) Gecko/20100914 Firefox/3.6.10
    Accept	text/css,*/*;q=0.1
    Accept-Language	nl,en-us;q=0.7,en;q=0.3
    Accept-Encoding	gzip,deflate
    Accept-Charset	ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Keep-Alive	115
    Connection	keep-alive
    Referer	http://sekerziyafe.blogcu.com/
    Cookie	__utma=15978665.1807316893.1277214311.1287247968.1287316242.251; __utmz=15978665.1286897139.234.40.utmcsr=feedburner|utmccn=Feed:%20NijmegenEet%20(Nijmegen%20Eet)|utmcmd=feed|utmcct=FeedBurner; wp-settings-1=hidetb%3D1%26editor%3Dtinymce%26imgsize%3Dthumbnail%26urlbutton%3Dfile%26align%3Dleft%26galfile%3D1%26galcols%3D2%26m0%3Dc%26m1%3Dc%26m2%3Dc%26m3%3Dc%26m4%3Dc%26m5%3Dc%26m6%3Do%26m7%3Dc%26m8%3Do%26m9%3Dc%26m10%3Do%26m11%3Dc%26galdesc%3D1%26m13%3Dc%26m14%3Dc; wp-settings-time-1=1287316018; wpgb_visit_last_php-http://www_google_nl=1281467032; wpgb_visit_last-http://www_google.nl=Tue%20Aug%2010%202010%2021%3A04%3A24%20GMT+0200; wpgb_visit_last_php-http://nijmegeneet_nl=1281467068; wpgb_visit_last-http://nijmegeneet_nl=Tue%20Aug%2010%202010%2021%3A02%3A47%20GMT+0200; wpgb_closed-http://nijmegeneet_nl=Tue%20Aug%2010%202010%2020%3A59%3A22%20GMT+0200; wp-settings-2=hidetb%3D1%26editor%3Dtinymce%26imgsize%3Dfull%26galfile%3D1%26galdesc%3D1%26m4%3Do%26m1%3Do%26m10%3Do%26urlbutton%3Dpost%26m6%3Do%26m2%3Do%26m14%3Do; wp-settings-time-2=1284057078; wp-settings-time-3=1285682825; wordpress_test_cookie=WP+Cookie+check; __utmc=15978665; wordpress_logged_in_7c2bfd4ce9c908612bb87c0449d58bcf=jesperpopma%7C1287490898%7C6335460f791b97c89790f5adec43bf2b
  12. Chris M.
    Member
    Posted 4 years ago #

    Maybe they have simply hotlinked to your site images and taken your theme?

  13. Jesper
    Member
    Posted 4 years ago #

    Thinkdeep,

    Yesterday, I have disabled hotlinking on my server.

    But, since yesterdy night it looks like the entire turkish site is down:

    maindomain:
    http://blogcu.com/

    subdomain:
    http://sekerziyafe.blogcu.com

    Does this indicate that the problem is on their site?

  14. If you view the source of the offending site (it's back now), they have quite literally copied your entire site, including the fact that all of the resource links (CSS, images, plugins, etc) all point back to your domain.

    They've literally stolen your design, resource files, and they're stealing your bandwidth.

    Add this to the very top of your .htaccess file ASAP:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogcu\.com/ [NC]
    RewriteRule .*\.(jpe?g|gif|png|css|js|xml)$ - [F]
  15. Update: I just updated the code above. I'm not sure if it works any better than the last, but it is the last of its type that I ever used, so I'm more confident that it'll work.

    A brief explanation, the code will issue a 403 (access denied) error to all requests for .jpeg, .jpg, .gif, .png, .css, .js, and .xml files from any blogcu.com domain.

  16. Jesper
    Member
    Posted 4 years ago #

    James,

    I've added your code like so:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://(www\.)?blogcu\.com/ [NC]
    RewriteRule \.(jpe?g|gif|png|css|js|xml)$ - [F]
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress

    Doe not seem to do the trick?

  17. Try it again, I've made one last minute oversight change. Full code should be:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogcu\.com/ [NC]
    RewriteRule .*\.(jpe?g|gif|png|css|js|xml)$ - [F]
    
    # BEGIN WordPress
    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^index\.php$ - [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule . /index.php [L]
    </IfModule>
    
    # END WordPress
  18. Jesper
    Member
    Posted 4 years ago #

    James,

    Thanks! Your latest code seems to do the trick!

    I can tell (in firebug) all my files get a 403 status on the offending site.

    Are there more issues I have to address?

  19. Looks almost perfect, but I forgot to list .ico and .php as formats, so it's still pulling in two files. This should do it:

    RewriteEngine On
    RewriteCond %{HTTP_REFERER} ^http://(.+\.)?blogcu\.com/ [NC]
    RewriteRule .*\.(jpe?g|gif|png|ico|css|js|xml|php)$ - [F]

    The next step if you're willing would be to report them to blogcu.com for a terms of service violation, which should get their account closed, but the language barrier will probably be an issue.

    If I were in your shoes, I'd just stick with the updated code above. No domain from blogcu.com will ever touch your files again.

  20. Chris M.
    Member
    Posted 4 years ago #

    Hello everyone...

    James: Great advice and thanks for sharing your knowledge on the topic. I couldn't help but think though, what if they moved shop and tried to use his stuff from another portal?

    I came across this great article, which, I think, addresses the issue from a more comprehensive standpoint:

    http://perishablepress.com/press/2007/11/21/creating-the-ultimate-htaccess-anti-hotlinking-strategy/

    Don't miss the comments!

    P.S. I am sure this can be edited to include the other needed file types. I am no expert though.

    Respectfully,
    Chris

  21. Jesper
    Member
    Posted 4 years ago #

    Thanks James,

    I updated the .htacces

    But I still see my favicon on:

    http://sekerziyafe.blogcu.com/

    Maybe it's a cache issue?

  22. Jesper
    Member
    Posted 4 years ago #

    James,

    I understand it about the favicon. I'm using a CDN for my images. I've added your code to the .htacces file of my CDN (subdomain).

    But I'm not seeing a 403 on the favicon file?

  23. Jesper
    Member
    Posted 4 years ago #

    At this time:

    18-10-2010 at 13:42

    The turkish site seems to be back to normal:

    http://sekerziyafe.blogcu.com/

    What's the hell going on?

  24. Chris M.
    Member
    Posted 4 years ago #

    "jesperpopma":

    My post above to James was also for you as well. I hope it benefits you.

    As for what might be happening right now, could they have downloaded ALL of your site images and theme, and once they realized that you were blocking hotlinking, they just uploaded your entire file set (i.e., not hotlinking it anymore)? That is all I can think of...

    At any rate, just curious, are we talking about these two sites, cause they don't look ANYTHING like each other!

    http://sekerziyafe.blogcu.com/
    http://nijmegeneet.nl/

  25. Jesper
    Member
    Posted 4 years ago #

    Chris,

    At any rate, just curious, are we talking about these two sites, cause they don't look ANYTHING like each other!

    http://sekerziyafe.blogcu.com/
    http://nijmegeneet.nl/

    At this time:

    The turkish site seems to be back to normal:

    http://sekerziyafe.blogcu.com/

  26. Chris M.
    Member
    Posted 4 years ago #

    "Normal" meaning, not like yours?

    I'm sorry, but I didn't get to see the way it was before. Was it literally a duplicate of your site, in all ways?

  27. Jesper
    Member
    Posted 4 years ago #

    Yes, "Normal" meaning not like my site.

    Not literally a duplicate. See this screenshot:

    http://picasaweb.google.nl/lh/photo/qJUfnmxItyQidyr3x82nUw?feat=directlink

  28. Chris M.
    Member
    Posted 4 years ago #

    I see, well, I hope your issue has been resolved. I do hope that this thread has helped you to clear some things up as well. I don't think your site was "hacked" in the proper sense of the word (access to your database, server, etc.), I think it was just a case of them getting your theme and then hotlinking to your files/images, etc.

    Make sure to check this out:

    http://perishablepress.com/press/2007/11/21/creating-the-ultimate-htaccess-anti-hotlinking-strategy/

    And again, don't miss the comments!

  29. Jesper
    Member
    Posted 4 years ago #

    Thanks Chris

  30. Great advice and thanks for sharing your knowledge on the topic. I couldn't help but think though, what if they moved shop and tried to use his stuff from another portal?

    I came across this great article, which, I think, addresses the issue from a more comprehensive standpoint.

    I'm not fan of only allowing hotlinking via specific domains, because you can never keep track of all of the web-based feed readers out there.

    If you forget to add a certain web based feed reader (like reader.google.com) to your list of approved domains, you've just ruined your feed for any subscribers there, which is why I prefer to only restrict specific domains.

    I understand it about the favicon. I'm using a CDN for my images. I've added your code to the .htacces file of my CDN (subdomain).

    But I'm not seeing a 403 on the favicon file?

    Most browsers cache favicons, so I'm sure you're just seeing the cache. Unfortunately, some browsers actually require you to reset the entire browser to clear the favicon cache.

    At this time:

    The turkish site seems to be back to normal

    It looks they noticed that you cut them off from your files and sought out a new design. Fortunately, they are no longer stealing your files.

Topic Closed

This topic has been closed to new replies.

About this Topic