Why is my site on another domain? Is it hacked?

Try it again, I’ve made one last minute oversight change. Full code should be:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?blogcu\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|png|css|js|xml)$ - [F]

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# END WordPress

James,

Thanks! Your latest code seems to do the trick!

I can tell (in firebug) all my files get a 403 status on the offending site.

Are there more issues I have to address?

Looks almost perfect, but I forgot to list .ico and .php as formats, so it’s still pulling in two files. This should do it:

RewriteEngine On
RewriteCond %{HTTP_REFERER} ^https://(.+\.)?blogcu\.com/ [NC]
RewriteRule .*\.(jpe?g|gif|png|ico|css|js|xml|php)$ - [F]

The next step if you’re willing would be to report them to blogcu.com for a terms of service violation, which should get their account closed, but the language barrier will probably be an issue.

If I were in your shoes, I’d just stick with the updated code above. No domain from blogcu.com will ever touch your files again.

Hello everyone…

James: Great advice and thanks for sharing your knowledge on the topic. I couldn’t help but think though, what if they moved shop and tried to use his stuff from another portal?

I came across this great article, which, I think, addresses the issue from a more comprehensive standpoint:

https://perishablepress.com/press/2007/11/21/creating-the-ultimate-htaccess-anti-hotlinking-strategy/

Don’t miss the comments!

P.S. I am sure this can be edited to include the other needed file types. I am no expert though.

Respectfully,
Chris

Thanks James,

I updated the .htacces

But I still see my favicon on:

https://sekerziyafe.blogcu.com/

Maybe it’s a cache issue?

James,

I understand it about the favicon. I’m using a CDN for my images. I’ve added your code to the .htacces file of my CDN (subdomain).

But I’m not seeing a 403 on the favicon file?

At this time:

18-10-2010 at 13:42

The turkish site seems to be back to normal:

https://sekerziyafe.blogcu.com/

What’s the hell going on?

“jesperpopma”:

My post above to James was also for you as well. I hope it benefits you.

As for what might be happening right now, could they have downloaded ALL of your site images and theme, and once they realized that you were blocking hotlinking, they just uploaded your entire file set (i.e., not hotlinking it anymore)? That is all I can think of…

At any rate, just curious, are we talking about these two sites, cause they don’t look ANYTHING like each other!

https://sekerziyafe.blogcu.com/
https://nijmegeneet.nl/

Chris,

At any rate, just curious, are we talking about these two sites, cause they don’t look ANYTHING like each other!

https://sekerziyafe.blogcu.com/
https://nijmegeneet.nl/

At this time:

The turkish site seems to be back to normal:

https://sekerziyafe.blogcu.com/

“Normal” meaning, not like yours?

I’m sorry, but I didn’t get to see the way it was before. Was it literally a duplicate of your site, in all ways?

Yes, “Normal” meaning not like my site.

Not literally a duplicate. See this screenshot:

https://picasaweb.google.nl/lh/photo/qJUfnmxItyQidyr3x82nUw?feat=directlink

I see, well, I hope your issue has been resolved. I do hope that this thread has helped you to clear some things up as well. I don’t think your site was “hacked” in the proper sense of the word (access to your database, server, etc.), I think it was just a case of them getting your theme and then hotlinking to your files/images, etc.

Make sure to check this out:

https://perishablepress.com/press/2007/11/21/creating-the-ultimate-htaccess-anti-hotlinking-strategy/

And again, don’t miss the comments!

Thanks Chris

Great advice and thanks for sharing your knowledge on the topic. I couldn’t help but think though, what if they moved shop and tried to use his stuff from another portal?

I came across this great article, which, I think, addresses the issue from a more comprehensive standpoint.

I’m not fan of only allowing hotlinking via specific domains, because you can never keep track of all of the web-based feed readers out there.

If you forget to add a certain web based feed reader (like reader.google.com) to your list of approved domains, you’ve just ruined your feed for any subscribers there, which is why I prefer to only restrict specific domains.

I understand it about the favicon. I’m using a CDN for my images. I’ve added your code to the .htacces file of my CDN (subdomain).

But I’m not seeing a 403 on the favicon file?

Most browsers cache favicons, so I’m sure you’re just seeing the cache. Unfortunately, some browsers actually require you to reset the entire browser to clear the favicon cache.

At this time:

The turkish site seems to be back to normal

It looks they noticed that you cut them off from your files and sought out a new design. Fortunately, they are no longer stealing your files.

Thanks James,

Yes, it appears the issue is solved for me. Thanks again!

I still wonder how this can be done from a subdomain on:

https://www.blogcu.com/

This site appears to be some kind of blogging platform like wordpress.com