Skip to main content

Identifying And Removing HTML / JavaScript / XML Based Malware From Your Blog

Occasionally, in the recently discovered social engineering blog attacks that involve shiny blog accessories, we've seen reports of aggressively protected malware, that's being installed on some blogs.

When a misbehaving HTML gadget is the source of the problem, it's sometimes possible to click on the "Quick Edit" icon for the gadget, and click "Remove". Alternatively, go to "Page Elements", and click on the "Edit" link for the gadget in question. This does not always work so simply, however.

If you can't remove a recently installed gadget, because you get redirected when trying to use the "Layout" button from the dashboard, or the "Remove" button from the "Page Elements" wizard, you may have to be imaginative.
  • Use a well protected browser - minimally, one which blocks scripts from any non Blogger / Google domain, to clean your blog. This is the simplest possibility here.
  • Use an HTTP text proxy, to examine the blog code.
  • Remove the code manually.
    1. Use a protected browser or proxy server to access the blog, and "View Source".
    2. Look in the source, and find the offending gadget / module. If it was installed as an "HTML / JavaScript" or Blogger "Add a Gadget" (XML) gadget, look at the code carefully, and look for "Gadgetnn" and "HTMLnn", where "nn" will be the sequential number for that HTML / XML gadget. This is important.
    3. Manually access the Layout "Edit HTML" wizard for the blog.
    4. Do not check "Expand widget templates" - just "Edit HTML".
    5. Look in the code, carefully, for each "Gadgetnn" or "HTMLnn" entry.
      <div class='widget Gadget' id='Gadget1' />
      or
      <div class='widget HTML' id='HTML1' />
    6. Remove that line of code.
    7. Save.
  • As always, please backup the template before and after you do this cleanup!


If you cannot find an obvious culprit from a quick "View Source", then start removing all "HTML / JavaScript" gadgets, and all XML gadgets (possibly including some installed from the Blogger "Add a Gadget" wizard), installed most recently ("recently", in some cases, being 2 - 3 months back).
  1. Remove a gadget.
  2. Clear browser cache.
  3. Test.
  4. If no improvement, repeat.
Alternatively, just remove all accessories and gadgets - then re install and test everything, one by one.
  1. Add a gadget back.
  2. Clear browser cache.
  3. Test.
  4. If a problem is seen, remove that gadget and identify it.
  5. Repeat.
It's your blog, and your decision which way to go. Barring any obvious suspects, I think I'd try the latter.

If you do put some accessories back, or add anything more, keep an eye on what you add, and check your blog frequently. A lot of the complaints this week appears to involve hacks that may have been installed 2 or 3 months ago. Watch out for smart code, that doesn't activate (reactivate) the hacking immediately when installed.


It appears that some malware may be included in some gadgets installed by the Blogger "Add a Gadget" wizard. If you find removing any Blogger gadgets to provide you any relief, please report your findings in my article Some Hijack Malware Is Being Claimed To Be Blogger Provided. Your details, provided there, would be greatly appreciated.

Comments

Thank you for helping me get to the code. Once I saw the evil meanies, I cut them out of there! THANK YOU for keeping me calm enough to snoop around.
Sai Lealea said…
Many thanks for your advice. I was successful in getting rid of the suspect gadgets which had subverted by blog. Much appreciated.
cik bella said…
yess.i did it! thanks soo much!finally i can view my blog without the warning that my blog contain malware!!yeaaa!!!!thanks yaaaa
Allegretto said…
Thanks for your advice. I'm preparing to have a go at it.
Thanks... hate it when jerks pull stuff like that.
zana said…
thanks for helping.

Popular posts from this blog

Custom Domain Migration - Managing The Traffic

Your blog depends upon traffic for its success.

Anything that affects the traffic to your blog, such as any change in the URL, affects the success of your blog. Publishing the blog to a custom domain, like renaming the blog, will affect traffic to your blog. The effects of the change will vary from blog to blog, because of the different traffic to every different blog.Followers. People who find your blog because of recommendations by other people.Search engines. Robotic processes which methodically surf your blog, and provide dynamic indexing to people who search for information.Subscribers. People who read your content from their newsfeed reader, such as the dashboard Reading List.Viewers. People who read your content from their browser.No two blogs are the same - and no two blogs will have the same combinations of traffic sources.

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.