Some type of spam bot (er, something) has taken over my blog.
June 3, 2007 2:02 PM   Subscribe

Make sure your DNS is correct with your hosting company.
posted by Solomon at 2:05 PM on June 3, 2007

Are you sure that your domain didn't expire and you forgot about it?
posted by Memo at 2:05 PM on June 3, 2007

The whois data suggests it's been registered since November 2004 and shouldn't expire until November 2007. Perhaps someone with a silver or gold membership to domaintools could tell you more about the IP and whois histories.
posted by Partial Law at 2:12 PM on June 3, 2007

Whois says that the domain belongs to a Conrad, which I assume is you, and that it doesn't expire until November. I say to double check your DNS. If all of that is correct, you should ask your hosting company.
posted by rhapsodie at 2:14 PM on June 3, 2007

You are still registered as the owner of the domain on a whois look up (at least I assume that's you).

Check with your web host what your name servers should be for your blog. Then check with your registrar (which, given your whois, is Yahoo) and make sure that they have your domain name pointed to the correct name servers.
posted by gemmy at 2:17 PM on June 3, 2007

Actually, it's not domain-related at all. I just saved the target at the main site, and it's your full blog, good as you left it (presumably). Except for some reason, the first line starts as follows:

[script language='Javascript']window.location.replace(' http://www.find.fm/search.php?aid=9173&keyword=casino');[/script]

(angle brackets changed to square for display purposes)

Delete that and you should be good to go.
posted by Partial Law at 2:19 PM on June 3, 2007

I have said membership and nothing appears to have changed dramatically in four years. I'd say that you should contact your host.
posted by FlamingBore at 2:19 PM on June 3, 2007

(Where "good to go" means "your site will work again but you should probably find and fix whatever security hole allowed that to happen in the first place.")
posted by Partial Law at 2:20 PM on June 3, 2007

When I picked up my domain, I prepaid for ten years. It's mine until June of 2011.

But I have a separate deal with a different company for DNS services. That is on a yearly basis. One year I forgot to renew in time, and my domain started being redirected to a placeholder page at the DNS company.
posted by Steven C. Den Beste at 2:21 PM on June 3, 2007

It's not a DNS issue, it's Javascript doing a redirect after the page loads. (Try it yourself -- turn off Javascript and go there.)

At the very top of each page something is inserting the following Javascript:

<script language='Javascript'>window.location.replace(' http://www.find.fm/search.php?aid=9173&keyword=casino');</script>

Now you need to figure out how it gets there. Wordpress 1.5.2 is two years old and undoubtedly has some well-publicized security issues; alternatively, someone may have obtained or guessed your blog or server administrative passwords.

I'd recommend letting your provider know that something happened (and asking for their help to make sure it's cleaned up), upgrading to the latest version of WordPress, and changing your hosting and blog passwords.

If you absolutely can't upgrade Wordpress right now, then you need to scour your templates and plugins for that Javascript (and still change passwords).
posted by mendel at 2:25 PM on June 3, 2007

Try searching the files inside your template folder (wp-content/themes/yourtheme/). It should be in header.php or index.php.
posted by Memo at 2:51 PM on June 3, 2007

If you switch your template, does it still happen?
posted by Liosliath at 3:32 PM on June 3, 2007

Your wp-content/themes folder contains three themes: classic, default, and landon-howell. At first, I assumed you're using landon-howell, but now that I've looked back at your page source, I think you're using default. At least, that's where your header and footer images are. So my best guess is that the offending code is in /wp-content/themes/default/header.php. If it is, it should be right at the top, before the "doctype" declaration.
posted by Partial Law at 3:37 PM on June 3, 2007

It's a clear exploit. Back up your posts, nuke everything and then install the latest Wordpress.
posted by reklaw at 4:03 PM on June 3, 2007

Are you able to log onto your weblog's admin interface (which you've most likely been on before: it is a URL that should look like http://landonhowell.com/wp-admin/)?

If so, log in, go to Presentation, then click on Theme Editor. Select the theme you're using from the pull-down menu, if it's not already on it. In the righthand column, you should see the word "Header."

Click on that. You should see a text box with code inside. If that text box has an italicized "If this file were writable you could edit it", then you'll have to edit the file by downloading it from your site and reuploading it -- but if it has a "Save Changes" kind of deal, you should be able to remove the line in question right from your WordPress admin interface.

Whenever you do recover, then I highly recommend your next steps be to (a) upgrade to WordPress 2.1 and (b) change your admin password. Also, the "Bad Behavior" plugin might be of use in terms of turning away bad IP addresses.
posted by WCityMike at 4:47 PM on June 3, 2007

« Older Is there a good online resourc...   |   Does anyone know if tonight's ... Newer »

This thread is closed to new comments.