Wednesday, July 25, 2012

Blogger Blogs Redirecting To "kunoichi . info"

In the latest round of blog hijacks, from misbehaving or miswritten accessory gadgets, we have reports this month in Blogger Help Forum: Something Is Broken about blogs redirecting to "kunoichi . info".
My Blogger site, xxxxxxx . blogspot . com, with over 8 years of blog posts archived, has been redirected without my permission, to "kunoichi . info". I see my blog for a few seconds before it goes to the new site.

If we use a text only browser, such as an HTTP trace utility, the offending code is directly visible. Here's an example, taken from the latest forum problem report (and rigourously redacted).

<div class='widget HTML' id='HTML2'>
<h2 class='title'>Recent Comments</h2>
<div class='widget-content'>
<script style="text/javascript" src="http : // kunoichi . info / blogger _ buster / comments.js"></script><script style="text/javascript">var a_rc=5;var m_rc=true;var n_rc=true;var o_rc=100;</script><script src="http : // xxxxxxx . blogspot . com /feeds/comments/default?alt=json-in-script&callback=showrecentcomments"></script>

So far, identification and removal, of the problem code, seems to be straightforward - just access the "Page Elements" wizard (Classic Blogger GUI) or the "Layout" menu wizard (New Blogger GUI), find the offending gadget, and remove it. As always, you are advised to clear cache and restart the browser, after removal and before testing.

>> Top

8 comments:

Andrejs said...

Thanks. Just ran into this issue. In case someone runs into a similar problem. Couldn't find it in the Layout GUI for a while. Then stumbled across it when I edited the comments gadget.

Jennifer said...

Hey, thanks. My blog is dormant as far as new posts, but I do go back to it to look at older things now and then. My BF discovered it had the Kunoichi redirect problem, and I found your post by Googling "blog hijacked to kunoichi.info".

Your solution worked, and all is now well. What I would like to know is, how did the code get in there in the first place?

In any case, thanks for the solution!
Jennifer

Chuck Croll said...

Jennifer,

You probably deleted a very useful sounding gadget - typically the problem will be in "Recent Comments" / "Recent Posts" or maybe "Daily Calendar". When initially installed, the gadget will work just fine.

What the hacker did is write the code, that you installed on your blog, so it references his personal code library. After his hacked gadgets had been installed by thousands of blog owners, the hacker updated his code, and it now redirects to "kunoichi . info".

In a similar case, the hacker is advising people to read his blog. The article on his blog instructs people to remove the "bad" gadgets, and get updated gadgets from his personal library - not Google hosted.

In effect, this guy is using the Google code library to advertise his personal expertise as a hacker.

We have had this exploit twice, in the past. The first time, it took us like 6 months before we noticed a pattern - and we had hundreds of problem reports in the forums, when the gadgets matured. The second time, we knew what to look for - and this time, we were ready for the attack.

http://blogging.nitecruzr.net/search/label/Blog%20Hijack%20-%202010

Jennifer said...

Ah, okay, that makes sense.

In my case, it was "Recent Comments," so I had wondered if someone had left the code in a comment, which was then displayed on the page, causing the problem.

Your explanation makes more sense, though - for the text of a comment to be able to hijack a blog would be a pretty big security hole!

In any case, it's gone and now I know it won't happen again. Thanks!

Cindee said...

Thank you SO much for the fix. I had no idea what to do. You responded so quickly too. Thanks again!!

Siddharth Fadnis said...

Thanks a lot I just recovered my blog using ur help

Globus said...

good post, which globus found useful. thanks.

Chuck Croll said...

Globus,

You will be at the end of a very long line.