Some type of spam bot (er, something) has taken over my blog.
June 3, 2007 2:02 PM Subscribe
Some type of spam bot (er, something) has taken over my blog.
When people visit my blog landonhowell.com it then takes them to some generic page.
How did this happen?
How do I fix this?
When people visit my blog landonhowell.com it then takes them to some generic page.
How did this happen?
How do I fix this?
Are you sure that your domain didn't expire and you forgot about it?
posted by Memo at 2:05 PM on June 3, 2007
posted by Memo at 2:05 PM on June 3, 2007
The whois data suggests it's been registered since November 2004 and shouldn't expire until November 2007. Perhaps someone with a silver or gold membership to domaintools could tell you more about the IP and whois histories.
posted by Partial Law at 2:12 PM on June 3, 2007
posted by Partial Law at 2:12 PM on June 3, 2007
Whois says that the domain belongs to a Conrad, which I assume is you, and that it doesn't expire until November. I say to double check your DNS. If all of that is correct, you should ask your hosting company.
posted by rhapsodie at 2:14 PM on June 3, 2007
posted by rhapsodie at 2:14 PM on June 3, 2007
You are still registered as the owner of the domain on a whois look up (at least I assume that's you).
Check with your web host what your name servers should be for your blog. Then check with your registrar (which, given your whois, is Yahoo) and make sure that they have your domain name pointed to the correct name servers.
posted by gemmy at 2:17 PM on June 3, 2007
Check with your web host what your name servers should be for your blog. Then check with your registrar (which, given your whois, is Yahoo) and make sure that they have your domain name pointed to the correct name servers.
posted by gemmy at 2:17 PM on June 3, 2007
Actually, it's not domain-related at all. I just saved the target at the main site, and it's your full blog, good as you left it (presumably). Except for some reason, the first line starts as follows:
Delete that and you should be good to go.
posted by Partial Law at 2:19 PM on June 3, 2007
[script language='Javascript']window.location.replace(' http://www.find.fm/search.php?aid=9173&keyword=casino');[/script](angle brackets changed to square for display purposes)Delete that and you should be good to go.
posted by Partial Law at 2:19 PM on June 3, 2007
I have said membership and nothing appears to have changed dramatically in four years. I'd say that you should contact your host.
posted by FlamingBore at 2:19 PM on June 3, 2007
posted by FlamingBore at 2:19 PM on June 3, 2007
(Where "good to go" means "your site will work again but you should probably find and fix whatever security hole allowed that to happen in the first place.")
posted by Partial Law at 2:20 PM on June 3, 2007
posted by Partial Law at 2:20 PM on June 3, 2007
When I picked up my domain, I prepaid for ten years. It's mine until June of 2011.
But I have a separate deal with a different company for DNS services. That is on a yearly basis. One year I forgot to renew in time, and my domain started being redirected to a placeholder page at the DNS company.
posted by Steven C. Den Beste at 2:21 PM on June 3, 2007
But I have a separate deal with a different company for DNS services. That is on a yearly basis. One year I forgot to renew in time, and my domain started being redirected to a placeholder page at the DNS company.
posted by Steven C. Den Beste at 2:21 PM on June 3, 2007
It's not a DNS issue, it's Javascript doing a redirect after the page loads. (Try it yourself -- turn off Javascript and go there.)
At the very top of each page something is inserting the following Javascript:
<script language='Javascript'>window.location.replace(' http://www.find.fm/search.php?aid=9173&keyword=casino');</script>
Now you need to figure out how it gets there. Wordpress 1.5.2 is two years old and undoubtedly has some well-publicized security issues; alternatively, someone may have obtained or guessed your blog or server administrative passwords.
I'd recommend letting your provider know that something happened (and asking for their help to make sure it's cleaned up), upgrading to the latest version of WordPress, and changing your hosting and blog passwords.
If you absolutely can't upgrade Wordpress right now, then you need to scour your templates and plugins for that Javascript (and still change passwords).
posted by mendel at 2:25 PM on June 3, 2007
At the very top of each page something is inserting the following Javascript:
<script language='Javascript'>window.location.replace(' http://www.find.fm/search.php?aid=9173&keyword=casino');</script>
Now you need to figure out how it gets there. Wordpress 1.5.2 is two years old and undoubtedly has some well-publicized security issues; alternatively, someone may have obtained or guessed your blog or server administrative passwords.
I'd recommend letting your provider know that something happened (and asking for their help to make sure it's cleaned up), upgrading to the latest version of WordPress, and changing your hosting and blog passwords.
If you absolutely can't upgrade Wordpress right now, then you need to scour your templates and plugins for that Javascript (and still change passwords).
posted by mendel at 2:25 PM on June 3, 2007
Response by poster: @Partial Law
Thanks for the info. How do I "Delete that" and be good to go?
(Sorry, you might have to explain some things to me...not as advanced as most MeFi folks)
posted by bamassippi at 2:44 PM on June 3, 2007
Thanks for the info. How do I "Delete that" and be good to go?
(Sorry, you might have to explain some things to me...not as advanced as most MeFi folks)
posted by bamassippi at 2:44 PM on June 3, 2007
Try searching the files inside your template folder (wp-content/themes/yourtheme/). It should be in header.php or index.php.
posted by Memo at 2:51 PM on June 3, 2007
posted by Memo at 2:51 PM on June 3, 2007
Response by poster: Hmmmm....
So, I checked all files in the template folder, as well as the pug-ins...and found nothing. I even removed all of the plug-ins and script...and it STILL re-routed my webpage to the alternate page.
What now?
posted by bamassippi at 3:24 PM on June 3, 2007
So, I checked all files in the template folder, as well as the pug-ins...and found nothing. I even removed all of the plug-ins and script...and it STILL re-routed my webpage to the alternate page.
What now?
posted by bamassippi at 3:24 PM on June 3, 2007
Your wp-content/themes folder contains three themes: classic, default, and landon-howell. At first, I assumed you're using landon-howell, but now that I've looked back at your page source, I think you're using default. At least, that's where your header and footer images are. So my best guess is that the offending code is in /wp-content/themes/default/header.php. If it is, it should be right at the top, before the "doctype" declaration.
posted by Partial Law at 3:37 PM on June 3, 2007
posted by Partial Law at 3:37 PM on June 3, 2007
It's a clear exploit. Back up your posts, nuke everything and then install the latest Wordpress.
posted by reklaw at 4:03 PM on June 3, 2007
posted by reklaw at 4:03 PM on June 3, 2007
This thread is closed to new comments.
posted by Solomon at 2:05 PM on June 3, 2007