Removing a malware warning or redirect Blogspot (Blogger) site.

Note: There are 2 fairly common issues that come up with Blogger sites, the first is blog owners suddenly start seeing ads on their site and in their dashboard and they don’t run ads. The second is blog owners suddenly start seeing random words in their posts highlighted and when you mouse over them an ad pops up. In most cases these issues are caused by a rogue browser plugin or extension on the blog owners computer, not something malicious in their code. If you encounter either of these issues try checking from another computer, or maybe get a friend to check from their computer. If they do not see the same symptoms/problems the the issue is going to be with the blog owners computer/browser. You are going to have to go in and disable your plugins/extensions 1 by 1 to try and determine which one is causing the problem.

Hire a Freelancer on Fiverr for malware removal

Redirects to random sites — (kunoichi.info, webhostingpunk.com, ping.blogspot-ping.com, scrapur.com, quiterandom.com, retweet.com, ibizeye.com, wallheaven.com, gelgit.tk/www.shamchat.c.la, coloncleansecompany.com, adsentra.com, chat-forum.com, YOUROWNHOSTING.COM

I see a number of Blogger sites that suddenly start redirecting to one of the domains listed above (and others). The redirect is typically caused by the following script call/line of code

<script src=’http://ping.blogspot-ping.com/ping.js' type=’text/javascript’></script>

or an iframe

<iframe src=”http://gelgit.tk/iframe.htm"> </iframe>

To clear stop the redirect you will need to find and remove that line of code, the script call or the iframe. In some cases the code is in the site template but in others it is located in one of the gadgets on the site. If you use the Blogger Tool first to find the code then you can tell if you need to edit the template or one of your gadgets. If you are having trouble locating the code try the tool at Blogger Tool to request the URL (page). The tool will list out the code for your site and and in most cases highlight the line of code causing the redirect.

If you are having trouble accessing/editing the template due to the redirect you might try using Firefox with the No Script add on at http://noscript.net/

1. Open Firefox, navigate to http://noscript.net/ and install NoScript. This will prevent the redirect from executing.
2. Login to your Blogger account -> www.blogger.com.
3. Once logged in at www.blogger.com, you’ll see a list of options or url addresses
4. Rightclick on any of the options, it will open up a list of options, go to Noscript, and then click ‘allow blogger.com’.
5. This opens up your dashboard.

The next step will depend on whether the code is in your template or in one of your gadgets —

If it is in your template

6. Click on the ‘More Options’ link and click on ‘Template
7. Click on ‘’Edit HTML’ and then click on ‘Proceed. It will open up a whole body of code. Search for the offending code, for example

< script src=’http:// ping . blogspot-ping . com/ping.js’ type=’text/javascript’></script>
or
<script src=’http:// quiterandom . com/js/domtab/domtab.js’ type=’text/javascript’> </script>

8. Delete the offending code. Then click ‘Save Template’.

If it is in one of your gadgets

6. Go to Layout
7. If you can edit the code in the gadget delete the line of code, if you can not edit the code in the gadget you will need to remove the gadget.
— then -
8. Save your changes
9. Clear your cache and cookies.
10. Sign out of Blogger.

I am getting a malware warning when I open my Blogger / Blogspot site.

This question comes up fairly regularly on some of the forums where I participate. Suddenly Chrome or Firefox or Safari is blocking access to my blog with a reported attack sites page, has my blog been hacked? The answer is a very ambiguous “probably not”.

The first thing you need to do is check the Safe Browsing Diagnostic Page for your site at

http://www.google.com/safebrowsing/diagnostic?site=http://your-blog-name.blogspot.com

where hopefully you will see —

What is the current listing status for your-blog-name.blogspot.com?
This site is not currently listed as suspicious.

So the next part of the question is “I have checked the Google Diagnostic Page for my site and it shows not suspicious. So why are you/your visitors getting a warning page when accessing your site?

If you/your visitors are getting a warning on one or more of the pages of your site in browsers such as Chrome, Firefox or Safari and your site is not (yet) flagged by Google it is probably a cross-site warning. Chrome, Firefox and Safari all feature an internal security system that utilizes Google’s Malware API. If a browser such as Chrome detects code on your page (scripts, iframes, images tags) that load ANY content from or redirect to a site that is currently flagged by Google the browser will throw up a warning. The warning will not identify your site it will identify the site that is hosting malware, the external site that is loading content on your page.

SEE: http://oliverfisher.blogspot.com/2009/01/cross-site-warnings.html

In the blogs I have checked the most common source I have found is a favicon. At some point in the past the blogger has added a link to another blog using that blogs favicon as the anchor. Everything has worked fine for weeks/months but suddenly the blog/site being linked to gets flagged by Google, so when the page loads, the browser detects that the page is trying to load the favicon from the linked blog and the warning page is shown. The warning page will identify the flagged site so it is usually just a matter of finding the code that is loading the content form that site.

In the majority of the cases I find the code in a Blog Roll/Blog list in a widget. The code looks something like this

< div class=’widget BlogList’ id=’BlogList1'>
< h2 class=’title’> My Blog List< /h2>
< div class=’widget-content’>
< div class=’blog-list-container’ id=’BlogList1_container’>
< ul id=’BlogList1_blogs’>
< li style=’display: block;’>
< div class=’blog-icon’>
< input type=’hidden’ value=’http://www.flagged-site.com/favicon.ico'/>
< /div>
< div class=’blog-content’>
< div class=’blog-title’>
< a href=’http://www.flagged-site.com/' target=’_blank’>
Blog I would like to link to< /a>
< /div>

The line of code causing the problem is this one < input type=’hidden’ value=’http://www.flagged-site.com/favicon.ico'/> . When your pages loads the browser detects that it is loading content from the flagged site, stops loading your page and throws up the warning page. The only way to remove the warning is to delete the code loading the content until such time as the owner of the flagged site gets their site cleaned up and cleared by Google.

Although not as common the second cause I see is the page is loading an image from a flagged site. The code to load an image typically looks something like this

< img src=”http://www.flagged-site.com/wp-content/gallery/ruby/thumbs/thumbs_00.png" width=”50" height=”50" title=”xxx_00" alt=”xxx_00" />

You may not see all of the attributes such as title or alt.

Again when the browser detects the page is trying to load the image from a flagged site it will stop loading your page and throw up the warning screen. Again the only way to remove the warning is to delete the image from the pages of your site.

Although very rare on Blogspot I do see the occasional case where the content from the flagged site is being loaded through an iframe or a script call. The code for an iframe and script call would look something like this

<iframe src=”http://flagged-site.com/file.php" width=”1" height=”1"> </iframe>
or
<script type=”text/javascript” src=”http://flagged-site.com//media/system/js/script.js"> </script>

The thing to look for in most cases is that flagged domain, the one identified on the warning page. Except —

You are getting a malware warning in Chrome and the warning identifies securesoft-trip.ru (or some other random malicious site). You scan through all the pages of your site and no where, not once, are you loading any content from securesoft-trip.ru. What is happening in this case, is again, one of the sites that you are loading content from (you have something like)

< input type=’hidden’ value=’http://www.really-cool-site.com/favicon.ico'/>

has been hacked but the hack on that 3rd party site, www.really-cool-site.com is a redirect, all requests to that site are being redirected to securesoft-trip.ru. If the site that you are loading content from has not been flagged yet, this case can be very difficult to find.

With this scenario, because malicious content is being downloaded, your site could (will?) eventually be flagged by Google. If you checked the diagnostic page for your site you would see something like this.

What is the current listing status for your-blog-name.blogspot.com?
Site is listed as suspicious — visiting this web site may harm your computer.

Malicious software is hosted on 1 domain(s), including securesofttrip.ru/.

1 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including www.really-cool-site.com/.

In this case the domain name for the intermediaries www.really-cool-site.com will be an active link to the Safe Browsing Diagnostic Page for the intermediary site. The first thing you should do is click on that link and check the current status of www.really-cool-site.com. In some cases you will find that that the owner of www.really-cool-site.com has gotten their site cleaned up and it is no longer being listed as suspicious. If the site (or sites if there is more than one intermediary site) are no longer being listed as suspicious then all you will need to do is submit a malware review request to Google to get the warning removed from your blog.

There are a number of factors that come into play, Is your site flagged or not flagged?, Is the external URL on your site serving malicious content or not?, Is the external site flagged or not?, Is the external URL redirecting to a malicious site? All these possibilities can make it very difficult to determine what exactly is happening to your site!

The most common scenario I see is that the content being loaded from the flagged site is not itself malicious. Remember the browser will generate the warning for ANY content being loaded from a flagged site, the browser does not check to see if the content is actually malicious. In this scenario Google will not flag your site, the diagnostic page for your site will read not suspicious and you will not see any notices in your Webmaster Tools account. In this scenario the warning should go away immediately once you have removed that code (you may have to delete the browser history/cache).

A distant second, the content being loaded from the flagged site is in fact malicious. In this scenario if/when Google discovers the malicious content your site will be flagged by Google. If your site does get flagged by Google then the warnings will not be removed until you submit a review request to Google, they scan your site and find it clean. You can check to see if Google has flagged your site by visiting the Safe Browsing Diagnostic Page for your site at

http://www.google.com/safebrowsing/diagnostic?site=your-domain-name

The most confusing, you are notified by one of your users they got a warning on your site in Chrome or Safari so you go to check and there are no warnings. Normally what has happened in this case is that again an external site you load content from to has gotten flagged and has generated started to generate a cross site warning but between the time your user has gotten the warning and you are notified and check the owner of the external site has gotten their site cleaned up and Google has removed the flag so it no longer generates a cross site warning on your site.

Although rare, on occasion the malicious 3rd party content is not on the home page of your Blog. On occasion I check a blog where the owner has included an image from another site in a blog post and that site gets hacked and flagged by Google. Again since the your blog is loading content from a site that has been flagged your users will start getting warnings. This can be a pretty difficult problem to find. If you can identify the post that is causing the warning, maybe ask your readers for the specific URL that gives a warning, then you can try checking that post with my Blogger Tool. In most cases it will identify the external content that is generating the warning.

It is unfortunate when a legitimate site gets hacked and I am sure that the site owners will be working hard to get it cleaned up. If you feel that a link or image adds value to your users you should keep the bit of code handy and add it back one any issues are resolved with their site. You can check the Google diagnostic page for any site by visiting

http://www.google.com/safebrowsing/diagnostic?site=domain-name

and entering the domain name of the site you want to check. The diagnostic page will tell you if the site is currently suspicious. No doubt you would like to see other site owners restore links to your site if unfortunately your site should get flagged.

I have looked at many thousands of flagged sites over the years and I have seen very few Blogger/Blogspot sites among those sites. While I have looked at a few Blogger/Blogspot sites I have never seen a case where a Blogger/Blogspot has been hacked, at least not a case of a 3rd party hacking into the site and adding malicious code. In every case I have seen the problem has originated with a 3rd party script, or is due to 3rd party content, almost always a favicon or image being used as the anchor for a link.