Please watch an animation explaining your procedure before your pre-operative assessment appointment www.explainmyprocedure.com/barts</div>
So I get the bogus page every couple of days, immediately after clicking that link. An equivalent link (to another site) in the same email never triggers the exploit. I guess the "first-time only" behaviour is part of concealment.
curl -I hxxps://www.explainmyprocedure.com/barts/HTTP/1.1 302 Found
I've reported it to the site owners who have apparently scanned and scanned, yet it's still there. Any ideas on where to look? Is there such a thing as a DNS exploit these days, for example?
"Philip Herlihy" wrote:
[...]
Please watch an animation explaining your procedure before your pre-operative
assessment appointment www.explainmyprocedure.com/barts</div>
So I get the bogus page every couple of days, immediately after clicking that
link. An equivalent link (to another site) in the same email never triggers
the exploit. I guess the "first-time only" behaviour is part of concealment.
Yes. I've used curl to get headers only in the folowing tests and
changed https to hxxps to protect the click=happy. First time it
redirects like so:
- - -
curl -I hxxps://www.explainmyprocedure.com/barts/HTTP/1.1 302 Found
Server: nginx
Date: Wed, 29 May 2024 20:11:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
- - -
That "bellatrixmeissa" domain link then redirects to check you're not
a robot and gets scripts from other domains, ending up who knows where.
The redirect on subsequent tries goes to what I presume is the correct
place, a login screen:
- - -
...
...
X-Redirect-By: WordPress
Location: hxxps://www.explainmyprocedure.com/barts?password-protected=login&[...etc.]
- - -
I've reported it to the site owners who have apparently scanned and scanned,
yet it's still there. Any ideas on where to look? Is there such a thing as
a DNS exploit these days, for example?
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
look at their WP code for the "wp_redirect" function or what calls it
they should find the malicious code: <https://developer.wordpress.org/reference/functions/wp_redirect/>
I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.
(removed comp.infosystems.www.authoring.stylesheets from followups)
In article <v389k1$1av9k$1@apd.eternal-september.org>, Apd wrote...[...]
I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.
(removed comp.infosystems.www.authoring.stylesheets from followups)
Thank you - that's immensely helpful, and I've learned something for
sure. Yes, it's a legitimate provider of animations, and Barts Hospital
is one of their clients.
host www.explainmyprocedure.comwww.explainmyprocedure.com has address 206.189.115.184
host 206.189.115.184184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.
I almost _never_ crosspost, and while I looked for the "Followup-To"
field I mananged to miss the "Advanced Fields" button in my client -
sorry!
I also informed "explainmyprocedure.com" via their contact page at the
time of my post but the problem is still there. Previously, the
redirect was to (https):
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
Today, it's:
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0
Only the "click_id" parameter has changed.
This is a serious security issue. "Explain my procedure" appear to be
using Cloudways managed hosting[1], so they may not be in direct
control of the code. Cloudways say they provide secure Wordpress
hosting which has obviously failed here. You might also want to inform
Barts of the problem.
[1] <https://www.cloudways.com/en/>
How I dicovered that:
host www.explainmyprocedure.comwww.explainmyprocedure.com has address 206.189.115.184
host 206.189.115.184184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.
Thank you, Apd - I'm really grateful for this. I'm simply a patient
about to have a procedure at Barts, and invited to watch an animation
about it (provided by Explainmyprocedure.com). They've told me they are urgently looking into it, but I'm guessing they have been struggling as
this has been going on for many days. I've also notified Barts, though
I haven't had a response from them.
I passed your observations on to Explainmyprocedure and invited them to
call me if they need an explanation.
Wish me luck on Monday (should be a walk in the park, but you never
know...)
"Philip Herlihy" wrote:
[...]
Please watch an animation explaining your procedure before your pre-operative
assessment appointment www.explainmyprocedure.com/barts</div>
So I get the bogus page every couple of days, immediately after clicking that
link. An equivalent link (to another site) in the same email never triggers >> the exploit. I guess the "first-time only" behaviour is part of concealment.
Yes. I've used curl to get headers only in the folowing tests and
changed https to hxxps to protect the click=happy. First time it
redirects like so:
- - -
curl -I hxxps://www.explainmyprocedure.com/barts/HTTP/1.1 302 Found
Server: nginx
Date: Wed, 29 May 2024 20:11:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
Apd, 2024-05-30 00:18:
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
WordPress itself is quite robust nowadays and they have implemented
quite strict coding guidelines including code analysis using psalm years
ago.
However - plugins and themes are often not as secure and most likely it
is a hackable plugin causing the trouble here.
"Philip Herlihy" wrote:
In article <v389k1$1av9k$1@apd.eternal-september.org>, Apd wrote...[...]
I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.
(removed comp.infosystems.www.authoring.stylesheets from followups)
Thank you - that's immensely helpful, and I've learned something for
sure. Yes, it's a legitimate provider of animations, and Barts Hospital
is one of their clients.
I also informed "explainmyprocedure.com" via their contact page at the
time of my post but the problem is still there. Previously, the
redirect was to (https):
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
Today, it's:
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0
Only the "click_id" parameter has changed.
This is a serious security issue. "Explain my procedure" appear to be
using Cloudways managed hosting[1], so they may not be in direct
control of the code. Cloudways say they provide secure Wordpress
hosting which has obviously failed here. You might also want to inform
Barts of the problem.
[1] <https://www.cloudways.com/en/>
How I dicovered that:
host www.explainmyprocedure.comwww.explainmyprocedure.com has address 206.189.115.184
host 206.189.115.184184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.
I almost _never_ crosspost, and while I looked for the "Followup-To"
field I mananged to miss the "Advanced Fields" button in my client -
sorry!
No problem. I've now removed comp.infosystems.www.authoring.misc from followups, as it's dead.
The problem is still there. I tried the 'curl' line you suggested, and it came
back 'clean', but when I clicked the link in the original email today I still get the invitation to Allow Notifications (with a cheery cartoon). And up pops
a tab with a scam in it. (I closed all tabs without any interaction.)
They are obviously struggling to find and clear this malware, which I've seen only appears when the link hasn't been clicked from my location for (I think) several days, so it's got some concealment built-in. Do you have any further thoughts?
(My procedure - helpfully explained by the 'victim' site - went well, by the way!)
I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
Did you get any further feedback from them (I got none at all) or warn
the hospital? I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
In article <v4qafg$ueq8$1@apd.eternal-september.org>, Apd wrote...
Did you get any further feedback from them (I got none at all) or warn
the hospital? I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
Thanks for this. Yes, they do respond. They thought they'd fixed it,
but I've warned them that they haven't. I also alerted the hospital,
but they haven't responded.
The malware only shows itself if I haven't connected to the site for a
number of days. I'm not sure how long that number of days is. At the
moment I check it once a week.
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
In article <v50t8t$2gt0c$1@apd.eternal-september.org>, Apd wrote...
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
Yes!
In article <MPG.40de16d07276280d989ada@news.eternal-september.org>,
Philip Herlihy wrote...
In article <v50t8t$2gt0c$1@apd.eternal-september.org>, Apd wrote...
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
Yes!
And they did. They hired a specialist, who reportedly found the malware
and removed it. :-)
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 376 |
Nodes: | 16 (2 / 14) |
Uptime: | 94:40:13 |
Calls: | 8,047 |
Calls today: | 3 |
Files: | 13,045 |
Messages: | 5,835,544 |