Loading very slowly though...

----------------
http://cmbs.cnc.net/blogtemplates  Beta Blogger Templates
http://blogsitecomparison.blogspot.com/  Find the right site for your
next blog.

 Shawn is here at Google groups helping, but he is the webmaster of
eight websites plus runs three of his own and Dustin blog does not load
slow on my end.

Well the Gods bellowed and I have arrived as requested by AliceW ;-P

I apologize Dustin as I run a web hosting company and a graphic design
firm that keeps me on my toes not to mention I am the webmaster for 8
other communities!!!

So AliceW get a life I do this for a living not for fun and game, and I
didn't attack you anywhere in my current reply I stated an opinion as
a IT professional and I appoligieze if you read further into it! I have
many posts on her supporting CSS and Cascading style sheets yet I
don't see any from you? Yet aren't you a designer strange
nonetheless

So Dustin to your problem, I have loaded your blog in several different
browsers, Opera, Internet Explorer, FireFox and Netscape and can't seem
to duplicate the error or hijack..

However I had Rose load the blog and sure enough it comes up some vDEV
code error.

So I reviewed your source code and again no obvious infractions of
hijacking, but my browser security is currently blocking 7 cookies and
one is definitely a minding cookie spyware!!!!

What have you added lately to your blog? any JavaScripts or plugins
like widgets etc..as one of them is pulling this cookie info in and
causing havoc on your blog...

The mining cookie is the following and is your issue, I broke the link
up as if you click the link it will attempt to install spyware on your
PC

Do not click or Past the link in your browser you have been warned..

http://go.  systemdoctor.com/  MzY2nw==/2  /971/ax=1/ed=2/ex=1//

Now Dustin to view this yourself, increase your security to block
cookies and then go back to your blog you will see 8 different
cookies...

3-4 are blogger and the widgets but the one above and another one are
definetly bad apples, I recommend removing anything you may of added
over the period that it started to occur, these are being pulled in by
a Java script somewhere in your blog template and there not injected
into your source code..

Example of Source code!
// Begin Source
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">

<head>
  <title>Original Root Zen Center</title>

  <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<meta name="MSSmartTagsPreventParsing" content="true" />
<meta name="generator" content="Blogger" />
<link rel="alternate" type="application/atom+xml" title="Original Root
Zen Center (Atom 0.3)" href="" />
<link rel="alternate" type="application/rss+xml" title="Original Root
Zen Center (RSS 2.0)" href="" />
<link rel="service.post" type="application/atom+xml" title="Original
Root Zen Center" href="https://www.blogger.com/atom/5754349" />
<link rel="service.post" type="application/atom+xml" title="Original
Root Zen Center (Atom 1.0)"
href="http://www.blogger.com/feeds/5754349/posts/summary" />

<link rel="EditURI" type="application/rsd+xml" title="RSD"
href="http://www.blogger.com/rsd.g?blogID=5754349" />
<style type="text/css">
@import url("http://www.blogger.com/css/blog_controls.css");
@import
url("http://www.blogger.com/dyn-css/authorization.css?blogID=5754349");
</style>

  <style type="text/css">
/*
-----------------------------------------------
Blogger Template Style
Name:     Rounders 2
Designer: Douglas Bowman
URL:      www.stopdesign.com
Date:     27 Feb 2004
----------------------------------------------- */

body {
  background:#ccc;
  margin:0;
  padding:20px 10px;
  text-align:center;
  font:x-small/1.5em "Trebuchet MS",Verdana,Arial,Sans-serif;
  color:#333;
  font-size/* */:/**/small;
  font-size: /**/small;
  }

/* Page Structure
----------------------------------------------- */
/* The images which help create rounded corners depend on the
   following widths and measurements. If you want to change
   these measurements, the images will also need to change.
   */
@media all {
  #content {
    width:740px;
    margin:0 auto;
    text-align:left;
    }
  #main {
    width:485px;
    float:left;
    background:#fff
url("http://www.blogblog.com/rounders2/corners_main_bot.gif") no-repeat
left bottom;
    margin:15px 0 0;
    padding:0 0 10px;
    color:#000;
    font-size:97%;
    line-height:1.5em;
    }
  #main2 {
    float:left;
    width:100%;

background:url("http://www.blogblog.com/rounders2/corners_main_top.gif")
no-repeat left top;
    padding:10px 0 0;
    }
  #main3 {
    background:url("http://www.blogblog.com/rounders2/rails_main.gif")
repeat-y;
    padding:0;
    }
  #sidebar {
    width:240px;
    float:right;
    margin:15px 0 0;
    font-size:97%;
    line-height:1.5em;
    }
  }
@media handheld {
  #content {
    width:90%;
    }
  #main {
    width:100%;
    float:none;
    background:#fff;
    }
  #main2 {
    float:none;
    background:none;
    }
  #main3 {
    background:none;
    }
  #sidebar {
    width:100%;
    float:none;
    }
  }

/* Links
----------------------------------------------- */
a:link {
  color:#b30;
  }
a:visited {
  color:#666;
  }
a:hover {
  color:#c63;
  }
a img {
  border-width:0;
  }

/* Blog Header
----------------------------------------------- */
@media all {
  #header {
    background:#710
url("http://www.blogblog.com/rounders2/corners_cap_top.gif") no-repeat
left top;
    margin:0 0 0;
    padding:8px 0 0;
    color:#fff;
    }
  #header div {

background:url("http://www.blogblog.com/rounders2/corners_cap_bot.gif")
no-repeat left bottom;
    padding:0 15px 8px;
    }
  }
@media handheld {
  #header {
    background:#710;
    }
  #header div {
    background:none;
    }
  }
#blog-title {
  margin:0;
  padding:10px 30px 5px;
  font-size:200%;
  line-height:1.2em;
  }
#blog-title a {
  text-decoration:none;
  color:#fff;
  }
#description {
  margin:0;
  padding:5px 30px 10px;
  font-size:94%;
  line-height:1.5em;
  }

/* Posts
----------------------------------------------- */
.date-header {
  margin:0 28px 0 43px;
  font-size:85%;
  line-height:2em;
  text-transform:uppercase;
  letter-spacing:.2em;
  color:#810;
  }
.post {
  margin:.3em 0 25px;
  padding:0 13px;
  border:1px dotted #bbb;
  border-width:1px 0;
  }
.post-title {
  margin:0;
  font-size:135%;
  line-height:1.5em;
  background:url("http://www.blogblog.com/rounders2/icon_arrow.gif")
no-repeat 10px .5em;
  display:block;
  border:1px dotted #bbb;
  border-width:0 1px 1px;
  padding:2px 14px 2px 29px;
  color:#333;
  }
a.title-link, .post-title strong {
  text-decoration:none;
  display:block;
  }
a.title-link:hover {
  background-color:#eee;
  color:#000;
  }
.post-body {
  border:1px dotted #bbb;
  border-width:0 1px 1px;
  border-bottom-color:#fff;
  padding:10px 14px 1px 29px;
  }
html>body .post-body {
  border-bottom-width:0;
  }
.post p {
  margin:0 0 .75em;
  }
p.post-footer {
  background:#eee;
  margin:0;
  padding:2px 14px 2px 29px;
  border:1px dotted #bbb;
  border-width:1px;
  border-bottom:1px solid #eee;
  font-size:100%;
  line-height:1.5em;
  color:#666;
  text-align:right;
  }
html>body p.post-footer {
  border-bottom-color:transparent;
  }
p.post-footer em {
  display:block;
  float:left;
  text-align:left;
  font-style:normal;
  }
a.comment-link {
  /* IE5.0/Win doesn't apply padding to inline elements,
     so we hide these two declarations from it */
  background/*
*/:/**/url("http://www.blogblog.com/rounders2/icon_comment.gif")
no-repeat 0 45%;
  padding-left:14px;
  }
html>body a.comment-link {
  /* Respecified, for IE5/Mac's benefit */
  background:url("http://www.blogblog.com/rounders2/icon_comment.gif")
no-repeat 0 45%;
  padding-left:14px;
  }
.post img {
  margin:0 0 5px 0;
  padding:4px;
  border:1px solid #ccc;
  }
blockquote {
  margin:.75em 0;
  border:1px dotted #ccc;
  border-width:1px 0;
  padding:5px 15px;
  color:#666;
  }
.post blockquote p {
  margin:.5em 0;
  }

/* Comments
----------------------------------------------- */
#comments {
  margin:-25px 13px 0;
  border:1px dotted #ccc;
  border-width:0 1px 1px;
  padding:20px 0 15px 0;
  }
#comments h4 {
  margin:0 0 10px;
  padding:0 14px 2px 29px;
  border-bottom:1px dotted #ccc;
  font-size:120%;
  line-height:1.4em;
  color:#333;
  }
#comments-block {
  margin:0 15px 0 9px;
  }
.comment-data {
  background:url("http://www.blogblog.com/rounders2/icon_comment.gif")
no-repeat 2px .3em;
  margin:.5em 0;
  padding:0 0 0 20px;
  color:#666;
  }
.comment-poster {
  font-weight:bold;
  }
.comment-body {
  margin:0 0 1.25em;
  padding:0 0 0 20px;
  }
.comment-body p {
  margin:0 0 .5em;
  }
.comment-timestamp {
  margin:0 0 .5em;
  padding:0 0 .75em 20px;
  color:#666;
  }
.comment-timestamp a:link {
  color:#666;
  }
.deleted-comment {
  font-style:italic;
  color:gray;
  }

/* Profile
----------------------------------------------- */
@media all {
  #profile-container {
    background:#999
url("http://www.blogblog.com/rounders2/corners_prof_bot.gif") no-repeat
left bottom;
    margin:0 0 15px;
    padding:0 0 10px;
    color:#fff;
    }
  #profile-container h2 {

background:url("http://www.blogblog.com/rounders2/corners_prof_top.gif")
no-repeat left top;
    padding:10px 15px .2em;
    margin:0;
    border-width:0;
    font-size:115%;
    line-height:1.5em;
    color:#fff;
    }
  }
@media handheld {
  #profile-container {
    background:#999;
    }
  #profile-container h2 {
    background:none;
    }
  }
.profile-datablock {
  margin:0 15px .5em;
  border-top:1px dotted #ccc;
  padding-top:8px;
  }
.profile-img {display:inline;}
.profile-img img {
  float:left;
  margin:0 10px 5px 0;
  border:4px solid #ccc;
  }
.profile-data strong {
  display:block;
  }
#profile-container p {
  margin:0 15px .5em;
  }
#profile-container .profile-textblock {
  clear:left;
  }
#profile-container a {
  color:#fff;
  }
.profile-link a {
  background:url("http://www.blogblog.com/rounders2/icon_profile.gif")
no-repeat 0 .1em;
  padding-left:15px;
  font-weight:bold;
  }
ul.profile-datablock {
  list-style-type:none;
  }

/* Sidebar Boxes ...

read more »

So this is definitely a javascript? and definitely something he's added
himself (as in not some malware on his computer adding it without his
knowledge)? The only js I see on this template is the "Pledge" js, so
does that have to be the culprit then?

And if it's cookies doing it, why the other day when I first clicked on
his link, did I also get redirected? I haven't changed any settings on
my computer at all, and I do block all cookies unless I need them to
sign in to a site.

And then, why did it redirect me the other day but not now?

Thanks for helping.

----------------
http://cmbs.cnc.net/blogtemplates  Beta Blogger Templates
http://blogsitecomparison.blogspot.com/  Find the right site for your
next blog.

Well just to throw some more out there.

I don't think it's on the users' end. The user may be infected now with
all that going on, but it looks to me like it's being done on the
server side (hacked). Reason I'm saying that is, it appears to me that
the redirects are 301's from the server, and to narrow it down even
more for some reason it only 301's on files when there is a referrer
header sent by the browser, if a referrer header is not sent (either
blocked by the browser or firewall) then the files are served normally.

For example. Here's the headers for an image on the server with
REFERRERS OFF in my browser.

http://www.originalrootzencenter.org/Art/buddha.jpg

GET /Art/buddha.jpg HTTP/1.1
Host: www.originalrootzencenter.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1)
Gecko/20061010 Firefox/2.0
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Cache-Control: max-age=0

HTTP/1.x 200 OK
Date: Thu, 26 Oct 2006 04:30:50 GMT
Server: Apache
Last-Modified: Tue, 24 Oct 2006 14:58:56 GMT
Etag: "200f44f-d27-453e2a30"
Accept-Ranges: bytes
Content-Length: 3367
Connection: close
Content-Type: image/jpeg

Everything is fine then. That's the way it should always be. The image
is served per normal with a http 200 status. Here's the same image
requested with referrers ON (normal usage)

http://www.originalrootzencenter.org/Art/buddha.jpg

GET /Art/buddha.jpg HTTP/1.1
Host: www.originalrootzencenter.org
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1)
Gecko/20061010 Firefox/2.0
Accept: image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Referer: http://www.originalrootzencenter.org/
If-Modified-Since: Tue, 24 Oct 2006 14:58:56 GMT
If-None-Match: "200f44f-d27-453e2a30"
Cache-Control: max-age=0

HTTP/1.x 301 Moved Permanently
Date: Thu, 26 Oct 2006 04:30:03 GMT
Server: Apache
Location: http://17edson.com/db/go.php?link=1
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1

Both of those are with cookies completely disabled so they aren't into
play at that moment.

With ANY referrer sent in the request, ANY file request on the
originalrootzencenter.org server turns into a 301 redirect to
17edson.com etc... and that's where the cookies, redirects and
everything start. It's like that for any file on
originalrootzencenter.org from what I'm seeing. Referrers turned off
and no problem. Referrers turned on and all file requests turn into
301's to the bad guys.

A server sending a 301 means only one thing to me. Apache has been
hacked to do it.

I would contact the host once again with that additional info, send
them the 2 different headers if necessary. The tech person may be
behind a proxy that blocks referrers, and if so that would explain why
the site looks normal to them. It looks normal to me as long as I block
referrers. As soon as I enable referrers, then come the 301 redirects.

Could something have been on the users computer to help the bad guys do
this? Possible. But just as possible (and probably more likely) they
hacked into the server without ever getting anything from the user.

Of course I'm just throwing out what I see. Your mileage may vary.

I don't understand most of what you said, but...

Why then was I getting redirected the other day, but not now? I haven't
changed any computer settings.

When I click on that image link, I get redirected. And for the record,
his blog is displaying correctly, but none of the images are showing.
Wow. So it's not even him or anything on his template at all?

I wonder if all these hijack complaints are for blogs not hosted at
blogspot.

Thanks phydeaux.

----------------
http://cmbs.cnc.net/blogtemplates  Beta Blogger Templates
http://blogsitecomparison.blogspot.com/  Find the right site for your
next blog.

This would affect everything hosted on that server then?

Seems like everyone being hosted on that server would be screaming
about it.

----------------
http://cmbs.cnc.net/blogtemplates  Beta Blogger Templates
http://blogsitecomparison.blogspot.com/  Find the right site for your
next blog.

Wow I suppose I should of taken a little more time to investigate, I
see it now but it never occurred to me to click an image..

As I stated above I wasn't being redirected or nothing of the sorts, I
reviewed the source code and everything look fine from there as well
except the cookies attempting to install from my security permissions
making me aware. So I assumed it was a JS or XML exploit!

I am also behind a hardware firewall so my browser wasn't stopping http
referrals however the firewall was...

Clicking on an image redirects you instantly to System Doctor!!!!

It seems that it is a hijack and pretty good one at that! As 'AliceW
stated' if the Apache web server has been compromised why isn't anyone
else on that server having issue's

As Apache is used across the entire backbone as a server client module!

I did a check at DNS tools and a whois and see he's on IPOWERDNS.COM,
yet viewing the other sites hosted by this company they aren't
affected, which is rather strange..

Unless he's on a VPS Server which his apache would be set to him alone
-- if the drive and domain space are set as Blocks to that domain!

When testing the site in Lynx I see a whole pile of COM's and Request
pings using the HTTP Headers however I am unable to verify the IP of
the current header request, I would recommend reporting this to the web
host immediately so they can refer to their access logs and raw error
logs to report this to the proper officials and prevent this from
happening again.

Also find out what version of Apache your host provider is currently
using, as there is an obvious security flaw!

Kudos goes to AliceW!

But when your not being redirected and source looks fine and nothing
obvious stuck out, it becomes a huge oversite!

Shawn

I was just about to reply to Alice's statement and saw Shawns,
but as he notes it's possible other domains on the server are also
compromised, but it could be just this domain. Depends on the server
setup and what kind of access the bad guys got.

And Alice's different behaviour may be because of the referral header
being the trigger on the redirect. If you type in the url the page will
load with no redirects, BUT no images will load (as they are requested
with referral's from the page, no redirects, but all the badguys
cookies will load at that point). Any clicks on links to other pages on
that site (or if the intial entry was through a click that sent a
referral header) will result in the redirect.

"Kudos goes to AliceW! "

Kudos to everyone, but wasn't I the one that found the 301's. :-) And
SwtRose gets the nod for being the first to mention the possibility.

But definitely the hosts tech support needs to be notified with the new
info. The server was compromised and while I suppose it's possible it
was done so with help through the users computer or through blogger,
most likely it was done just as an attack on a server vulnerability.
And until they find out what the deal is, they should block that site
altogether, as anyone visiting is at risk. Those are nasty sites that
are getting redirected to.

I am being redirected again now. I seriously don't understand why
sometimes I am and other times not. Maybe has something to do with
having clicked the image?? Because I did run adaware after having
clicked his link the other day. And a virus scan on the puter every
day, but that's been reporting that it's found nothing. His site was
loading but without images until after I clicked the image link, and
now I'm being redirected. But it's been a couple of hours since then,
so something else could have happened somewhere during that time...

Anyway. Thanks Phydeaux for bothering to look more closely. Now Dustin
has some clue of what's really going on and some direction to go in
next. I think it must be very frustrating when your site is hijacked
like this and you have no clue what to do about it.