Octopress Blog Hijacked

I use Octopress to write and generate my blog. Which works pretty well most of the time. The main benefit is having a statically generated website. No database connections no code overhead. Just plain and simple text. You’d pretty much have to 0wn the server to get to the files.

To my surprise though my blog was redirecting to http://octophile.com when i check my blog status today. That was pretty weird. So the first thing i did was check my commit logs. No changes. Github didn’t get owned (at least not publicly known). So what could be redirecting my site?

So i grepped for the domain name i was redirected to.

$ grep -r 'octophile' *

All generated pages had a call to http://octophile.com/widgets.js. This came from the main layout template. And was there from the start. So what was it for. I just couldn’t remember. But a quick Google search turned up the Github project page. It’s the twitter widget i used for a while. Still weird though. So let’s check the contents of the widget.js file

redirect
var redir_url = 'http://octophile.com/'; if (window != top) { top.location.href = redir_url; } else { window.location = redir_url; }

OK that explains the redirect. Now let’s take a look the WHOIS data for the octophile domain

   Domain Name: OCTOPHILE.COM
   Registrar: DOMAINTIMEMACHINE.COM LLC
   Sponsoring Registrar IANA ID: 1200
   Whois Server: whois.domaintimemachine.com
   Referral URL: http://www.networksolutions.com
   Name Server: 70222-NS1.NDOVERDRIVE.COM
   Name Server: 70222-NS2.NDOVERDRIVE.COM
   Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
   Updated Date: 05-feb-2015
   Creation Date: 30-jan-2014
   Expiration Date: 30-jan-2016

So the DNS was changed yesterday. It might be somebody hijacked the domain. But i’m not sure. Maybe the project is just discontinued. Whatever it is. It was fun to figure out what was going on. I contacted the owner of the widget. But haven’t received a reply yet.

UPDATE

I got a quick response from the project owner. He stopped working on it a long time ago. And i probably should have cleaned up my templates. Good thing no evil javascript was injected :)

comments powered by Disqus