Skip to main content

Identifying And Removing Deviously Engineered And Marketed Blog Hijacks

We saw the symptoms of the first carefully engineered blog hijacks, in Blogger Help Forum: Something Is Broken, two years ago. During each succeeding holiday season, each attack has apparently become more and more deviously engineered.

This season - each season starting in Fall of one year and lasting until Spring of the following year - we are seeing a hijack complement which appears to be devious in both marketing and installation technique, and which requires a complex search of the affected blogs. If you are receiving reports from your readers
Your blog starts to load - but is quickly replaced by a page full of advertisements!
you may need to exhaustively examine your blog for any third party code - and as always, the problem code may have been installed at any time in the past. When discovered, the hijacks are not consistently found in recently installed code.

The blog hijacks, being examined during this holiday season - appear to be deviously planned and marketed.
  • The hijacks use a variety of host accessories and gadgets.
  • The hijacks use a variety of distribution libraries.
  • The hijacks are being marketed to a diverse audience, which causes different installation techniques - and necessitates the complex search of affected blogs.

To find and remove a hijack from an affected blog, you'll need to start by viewing the blog in question, using a text only browser, or proxy service. I, personally, use several products.
  • hpHosts vURL is a text only browser, that runs as a stand alone application locally on your computer.
  • Notepad-Plus-Plus is an offline text editor, which provides a variety of search tools for text files. You can sometimes avoid use of your browser completely, by copying page source code directly from vURL.
  • Rex Swain's HTTP Viewer is a standard online text proxy that I use.
  • Lingo4you HTTP Web-Sniffer is an online alternative to Rex Swain.
All of these products may be more or less useful in identifying the source of your specific hijack. The Rex Swain and Web-Sniffer text proxies each have their effective differences.

If anybody uses alternative products, and cares to share information about the tools used, I will most gratefully add them to my library here.

The approach here is complex.
  1. Of course, backup the template, before starting.
  2. Load the blog, in question, in the text browser / proxy display of your choice.
  3. Do a simple text search for the identified host / target name in the URL, such as "adiwidget", "pagesinxt", or "ripway".
  4. You'll see several different possibilities.
    • The search may reveal the hijacking code in an HTML gadget. You can use the "Pages Elements" / Design tab (Classic GUI), or the "Layout" wizard (New GUI), and remove the offending gadget.
    • The search may reveal the hijacking code in the template HTML. You'll have to use the Template Editor, and remove the offending lines of code.
    • The search may not find any identified host name, in a text search. You'll have to do an extensive text search, looking for unknown HTML / JavaScript gadgets / snippets of code, and evaluate each gadget / snippet, on the fly.
  5. You may need to bypass the Blogger menu structure, to directly access the Blogger wizard needed, if trying to use the Blogger menus is also a problem.
  6. Clear browser cache, before checking for success.
  7. And always backup the template, again, after completing this task.

And hopefully, having found and removed a hijack from your blog, you will learn to be more discrete, in your choice of accessories and gadgets, in the future.

Comments

David Chin said…
Thank you Chuck for sharing this info. However, it is too technical and complicated for me to understand or follow.
Nitecruzr said…
Thanks for the feedback, David. If you have a hijack problem, may I suggest that you post in Blogger Help Forum: Something Is Broken, where we can attempt to advise you in person?

Popular posts from this blog

What's The URL Of My Blog?

We see the plea for help, periodicallyI need the URL of my blog, so I can give it to my friends. Help!Who's buried in Grant's Tomb, after all?No Chuck, be polite.OK, OK. The title of this blog is "The Real Blogger Status", and the title of this post is "What's The URL Of My Blog?".

Leave Comments Here

Like any blogger, I appreciate polite comments, when they are relevant to the blog, and posted to the relevant article in the right blog. If you want to ask me a question thats relevant to blogging, but you can't find the right post to start with (I haven't written about everything blogger related, yet, nor the way things are going I don't expect to either), ask your questions here, or leave an entry in my guestbook.

As noted above, please note my commenting policy. If you post a comment to this post, I will probably treat it as a "Contact Me" post. If you have an issue that's relevant to any technical issue in the blog, please leave a comment on the specific post, not here. This post is for general comments, and for non posted contact to me.

If the form below does not work for you, check your third party cookies setting!

For actual technical issues, note that peer support in Blogger Help Forum: Something Is Broken, or Nitecruzr Dot Net - Blogging is, almos…

What Is "ghs.google.com" vs. "ghs.googlehosted.com"?

With Google Domains registered custom domains becoming more normal, we are seeing one odd attention to detail, expressed as confusion in Blogger Help Forum: Learn More About Blogger.My website uses "ghs.google.com" - am I supposed to use "ghs.googlehosted.com", instead?It's good to be attentive to detail, particularly with custom domain publishing. This is one detail that may not require immediate attention, however.