Wednesday, January 25, 2012

Identifying And Removing Deviously Engineered And Marketed Blog Hijacks

We saw the symptoms of the first carefully engineered blog hijacks, in Blogger Help Forum: Something Is Broken, two years ago. During each succeeding holiday season, each attack has apparently become more and more deviously engineered.

This season - each season starting in Fall of one year and lasting until Spring of the following year - we are seeing a hijack complement which appears to be devious in both marketing and installation technique, and which requires a complex search of the affected blogs. If you are receiving reports from your readers
Your blog starts to load - but is quickly replaced by a page full of advertisements!
you may need to exhaustively examine your blog for any third party code - and as always, the problem code may have been installed at any time in the past. When discovered, the hijacks are not consistently found in recently installed code.

The blog hijacks, being examined during this holiday season - appear to be deviously planned and marketed.
  • The hijacks use a variety of host accessories and gadgets.
  • The hijacks use a variety of distribution libraries.
  • The hijacks are being marketed to a diverse audience, which causes different installation techniques - and necessitates the complex search of affected blogs.

To find and remove a hijack from an affected blog, you'll need to start by viewing the blog in question, using a text only browser, or proxy service. I, personally, use several products.
  • hpHosts vURL is a text only browser, that runs as a stand alone application locally on your computer.
  • Notepad-Plus-Plus is an offline text editor, which provides a variety of search tools for text files. You can sometimes avoid use of your browser completely, by copying page source code directly from vURL.
  • Rex Swain's HTTP Viewer is a standard online text proxy that I use.
  • Lingo4you HTTP Web-Sniffer is an online alternative to Rex Swain.
All of these products may be more or less useful in identifying the source of your specific hijack. The Rex Swain and Web-Sniffer text proxies each have their effective differences.

If anybody uses alternative products, and cares to share information about the tools used, I will most gratefully add them to my library here.

The approach here is complex.
  1. Of course, backup the template, before starting.
  2. Load the blog, in question, in the text browser / proxy display of your choice.
  3. Do a simple text search for the identified host / target name in the URL, such as "adiwidget", "pagesinxt", or "ripway".
  4. You'll see several different possibilities.
    • The search may reveal the hijacking code in an HTML gadget. You can use the "Pages Elements" / Design tab (Classic GUI), or the "Layout" wizard (New GUI), and remove the offending gadget.
    • The search may reveal the hijacking code in the template HTML. You'll have to use the Template Editor, and remove the offending lines of code.
    • The search may not find any identified host name, in a text search. You'll have to do an extensive text search, looking for unknown HTML / JavaScript gadgets / snippets of code, and evaluate each gadget / snippet, on the fly.
  5. You may need to bypass the Blogger menu structure, to directly access the Blogger wizard needed, if trying to use the Blogger menus is also a problem.
  6. Clear browser cache, before checking for success.
  7. And always backup the template, again, after completing this task.

And hopefully, having found and removed a hijack from your blog, you will learn to be more discrete, in your choice of accessories and gadgets, in the future.

2 comments:

David Chin said...

Thank you Chuck for sharing this info. However, it is too technical and complicated for me to understand or follow.

Chuck Croll said...

Thanks for the feedback, David. If you have a hijack problem, may I suggest that you post in Blogger Help Forum: Something Is Broken, where we can attempt to advise you in person?