Discussion:
Puzzling exploit
(too old to reply)
Philip Herlihy
2024-05-29 18:58:55 UTC
Permalink
(Anyone still in these now very quiet groups?) Cross-posted to
comp.infosystems.www.authoring.html,
comp.infosystems.www.authoring.misc,
comp.infosystems.www.authoring.stylesheets

I was sent an email about a forthcoming hospital procedure with a couple of
links in it. When I clicked on one of them, a page came up asking me to allow
notifications, and I was daft enough to click Allow. Very quickly I was
getting notifications that my PC was full of viruses, with "click here to fix".
I shut down, scanned for viruses (including offline) and nothing was found.
Subsequent clicks on that link just brought up the correct page.

Until I tried again a couple of days later. Same bogus page, though I wasn't
fooled again. Still, subsequent clicks would bring up the correct page.

I looked at the source code - the links there were simply plain text (no <A> or
mailto: ), relying on the client or browser to recognise a URL and
format/enable it accordingly. I'll post the code fragment (there is no
script):

<div style="direction: ltr; font-family: Aptos, Aptos_EmbeddedFont,
Aptos_MSFontService, Calibri, Helvetica, sans-serif; font-size: 12pt; color:
rgb(0, 0, 0);">
Please watch an animation explaining your procedure before your pre-operative
assessment appointment www.explainmyprocedure.com/barts</div>

So I get the bogus page every couple of days, immediately after clicking that
link. An equivalent link (to another site) in the same email never triggers
the exploit. I guess the "first-time only" behaviour is part of concealment.

I've reported it to the site owners who have apparently scanned and scanned,
yet it's still there. Any ideas on where to look? Is there such a thing as a
DNS exploit these days, for example?
--
Phil, London
Apd
2024-05-29 22:18:12 UTC
Permalink
"Philip Herlihy" wrote:
[...]
Post by Philip Herlihy
Please watch an animation explaining your procedure before your pre-operative
assessment appointment www.explainmyprocedure.com/barts</div>
So I get the bogus page every couple of days, immediately after clicking that
link. An equivalent link (to another site) in the same email never triggers
the exploit. I guess the "first-time only" behaviour is part of concealment.
Yes. I've used curl to get headers only in the folowing tests and
changed https to hxxps to protect the click=happy. First time it
redirects like so:

- - -
$> curl -I hxxps://www.explainmyprocedure.com/barts/
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 29 May 2024 20:11:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
- - -

That "bellatrixmeissa" domain link then redirects to check you're not
a robot and gets scripts from other domains, ending up who knows where.

The redirect on subsequent tries goes to what I presume is the correct
place, a login screen:

- - -
...
...
X-Redirect-By: WordPress
Location: hxxps://www.explainmyprocedure.com/barts?password-protected=login&[...etc.]
- - -
Post by Philip Herlihy
I've reported it to the site owners who have apparently scanned and scanned,
yet it's still there. Any ideas on where to look? Is there such a thing as
a DNS exploit these days, for example?
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
look at their WP code for the "wp_redirect" function or what calls it
they should find the malicious code:
<https://developer.wordpress.org/reference/functions/wp_redirect/>

I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.

(removed comp.infosystems.www.authoring.stylesheets from followups)
Philip Herlihy
2024-05-31 09:51:58 UTC
Permalink
Post by Apd
[...]
Post by Philip Herlihy
Please watch an animation explaining your procedure before your pre-operative
assessment appointment www.explainmyprocedure.com/barts</div>
So I get the bogus page every couple of days, immediately after clicking that
link. An equivalent link (to another site) in the same email never triggers
the exploit. I guess the "first-time only" behaviour is part of concealment.
Yes. I've used curl to get headers only in the folowing tests and
changed https to hxxps to protect the click=happy. First time it
- - -
$> curl -I hxxps://www.explainmyprocedure.com/barts/
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 29 May 2024 20:11:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
- - -
That "bellatrixmeissa" domain link then redirects to check you're not
a robot and gets scripts from other domains, ending up who knows where.
The redirect on subsequent tries goes to what I presume is the correct
- - -
...
...
X-Redirect-By: WordPress
Location: hxxps://www.explainmyprocedure.com/barts?password-protected=login&[...etc.]
- - -
Post by Philip Herlihy
I've reported it to the site owners who have apparently scanned and scanned,
yet it's still there. Any ideas on where to look? Is there such a thing as
a DNS exploit these days, for example?
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
look at their WP code for the "wp_redirect" function or what calls it
<https://developer.wordpress.org/reference/functions/wp_redirect/>
I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.
(removed comp.infosystems.www.authoring.stylesheets from followups)
Thank you - that's immensely helpful, and I've learned something for sure.
Yes, it's a legitimate provider of animations, and Barts Hospital is one of
their clients.

I almost _never_ crosspost, and while I looked for the "Followup-To" field I
mananged to miss the "Advanced Fields" button in my client - sorry!
--
Phil, London
Apd
2024-05-31 13:24:48 UTC
Permalink
[...]
Post by Philip Herlihy
Post by Apd
I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.
(removed comp.infosystems.www.authoring.stylesheets from followups)
Thank you - that's immensely helpful, and I've learned something for
sure. Yes, it's a legitimate provider of animations, and Barts Hospital
is one of their clients.
I also informed "explainmyprocedure.com" via their contact page at the
time of my post but the problem is still there. Previously, the
redirect was to (https):

qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g

Today, it's:

qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0

Only the "click_id" parameter has changed.

This is a serious security issue. "Explain my procedure" appear to be
using Cloudways managed hosting[1], so they may not be in direct
control of the code. Cloudways say they provide secure Wordpress
hosting which has obviously failed here. You might also want to inform
Barts of the problem.

[1] <https://www.cloudways.com/en/>

How I dicovered that:

$> host www.explainmyprocedure.com
www.explainmyprocedure.com has address 206.189.115.184

$> host 206.189.115.184
184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.
Post by Philip Herlihy
I almost _never_ crosspost, and while I looked for the "Followup-To"
field I mananged to miss the "Advanced Fields" button in my client -
sorry!
No problem. I've now removed comp.infosystems.www.authoring.misc from
followups, as it's dead.
Philip Herlihy
2024-05-31 19:34:39 UTC
Permalink
Post by Apd
I also informed "explainmyprocedure.com" via their contact page at the
time of my post but the problem is still there. Previously, the
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0
Only the "click_id" parameter has changed.
This is a serious security issue. "Explain my procedure" appear to be
using Cloudways managed hosting[1], so they may not be in direct
control of the code. Cloudways say they provide secure Wordpress
hosting which has obviously failed here. You might also want to inform
Barts of the problem.
[1] <https://www.cloudways.com/en/>
$> host www.explainmyprocedure.com
www.explainmyprocedure.com has address 206.189.115.184
$> host 206.189.115.184
184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.
Thank you, Apd - I'm really grateful for this. I'm simply a patient about to
have a procedure at Barts, and invited to watch an animation about it (provided
by Explainmyprocedure.com). They've told me they are urgently looking into it,
but I'm guessing they have been struggling as this has been going on for many
days. I've also notified Barts, though I haven't had a response from them.

I passed your observations on to Explainmyprocedure and invited them to call me
if they need an explanation.

Wish me luck on Monday (should be a walk in the park, but you never know...)
--
Phil, London
Apd
2024-05-31 21:41:22 UTC
Permalink
Post by Philip Herlihy
Thank you, Apd - I'm really grateful for this. I'm simply a patient
about to have a procedure at Barts, and invited to watch an animation
about it (provided by Explainmyprocedure.com). They've told me they are
urgently looking into it, but I'm guessing they have been struggling as
this has been going on for many days. I've also notified Barts, though
I haven't had a response from them.
I passed your observations on to Explainmyprocedure and invited them to
call me if they need an explanation.
I found out more about the payload after inspecting what's loaded at
the redirects. Obfuscated script is run from "js.streampsh.top" which
is a known ad pusher:

<https://malwaretips.com/blogs/remove-streampsh-top/>
"Streampsh.top is a site that displays fake messages to trick you into
subscribing to its spam push notifications".

The article was written in 2022 so functionality and messages seen
may differ slightly now. It advises to reset your browser to default
settings but unless you're experiencing problems like they describe,
you should be ok.
Post by Philip Herlihy
Wish me luck on Monday (should be a walk in the park, but you never know...)
Sure, I hope it goes well for you.
Philip Herlihy
2024-06-17 16:17:21 UTC
Permalink
Post by Apd
[...]
Post by Philip Herlihy
Post by Apd
I'm presuming "explainmyprocedure.com" is a legitimate site to get
info from Barts hospital, assuming the email really came from them.
(removed comp.infosystems.www.authoring.stylesheets from followups)
Thank you - that's immensely helpful, and I've learned something for
sure. Yes, it's a legitimate provider of animations, and Barts Hospital
is one of their clients.
I also informed "explainmyprocedure.com" via their contact page at the
time of my post but the problem is still there. Previously, the
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpcps3qjvq314ov5asr0
Only the "click_id" parameter has changed.
This is a serious security issue. "Explain my procedure" appear to be
using Cloudways managed hosting[1], so they may not be in direct
control of the code. Cloudways say they provide secure Wordpress
hosting which has obviously failed here. You might also want to inform
Barts of the problem.
[1] <https://www.cloudways.com/en/>
$> host www.explainmyprocedure.com
www.explainmyprocedure.com has address 206.189.115.184
$> host 206.189.115.184
184.115.189.206.in-addr.arpa domain name pointer 419646.cloudwaysapps.com.
Post by Philip Herlihy
I almost _never_ crosspost, and while I looked for the "Followup-To"
field I mananged to miss the "Advanced Fields" button in my client -
sorry!
No problem. I've now removed comp.infosystems.www.authoring.misc from
followups, as it's dead.
The problem is still there. I tried the 'curl' line you suggested, and it came
back 'clean', but when I clicked the link in the original email today I still
get the invitation to Allow Notifications (with a cheery cartoon). And up pops
a tab with a scam in it. (I closed all tabs without any interaction.)

They are obviously struggling to find and clear this malware, which I've seen
only appears when the link hasn't been clicked from my location for (I think)
several days, so it's got some concealment built-in. Do you have any further
thoughts?

(My procedure - helpfully explained by the 'victim' site - went well, by the
way!)
--
Phil, London
Apd
2024-06-17 21:39:19 UTC
Permalink
Post by Philip Herlihy
The problem is still there. I tried the 'curl' line you suggested, and it came
back 'clean', but when I clicked the link in the original email today I still
get the invitation to Allow Notifications (with a cheery cartoon). And up pops
a tab with a scam in it. (I closed all tabs without any interaction.)
Yes, it's now doing the same again for me. I used curl but sent a
browser user-agent string which is sometimes checked for by malware.
The redirect is still in place to the same domain on first visit
(qltuh.bellatrixmeissa.com).
Post by Philip Herlihy
They are obviously struggling to find and clear this malware, which I've seen
only appears when the link hasn't been clicked from my location for (I think)
several days, so it's got some concealment built-in. Do you have any further
thoughts?
Did you get any further feedback from them (I got none at all) or warn
the hospital? I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
Post by Philip Herlihy
(My procedure - helpfully explained by the 'victim' site - went well, by the
way!)
Excellent!
Allodoxaphobia
2024-06-18 16:36:22 UTC
Permalink
Post by Apd
I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
WHO!?!?!? *digital sewer ???* LMAO!
Philip Herlihy
2024-06-19 10:22:36 UTC
Permalink
Post by Apd
Did you get any further feedback from them (I got none at all) or warn
the hospital? I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
Thanks for this. Yes, they do respond. They thought they'd fixed it, but
I've warned them that they haven't. I also alerted the hospital, but they
haven't responded.

The malware only shows itself if I haven't connected to the site for a number
of days. I'm not sure how long that number of days is. At the moment I check
it once a week.
--
Phil, London
Apd
2024-06-20 09:37:24 UTC
Permalink
Post by Philip Herlihy
Post by Apd
Did you get any further feedback from them (I got none at all) or warn
the hospital? I've now sent an abuse report to ExplainMyProcedure's
hosting provider, DigitalOcean. Hopefully they'll do something.
Thanks for this. Yes, they do respond. They thought they'd fixed it,
but I've warned them that they haven't. I also alerted the hospital,
but they haven't responded.
DigitalOcean did reply and said they've been notified.
Post by Philip Herlihy
The malware only shows itself if I haven't connected to the site for a
number of days. I'm not sure how long that number of days is. At the
moment I check it once a week.
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
Philip Herlihy
2024-06-20 10:37:38 UTC
Permalink
Post by Apd
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
Yes!
--
Phil, London
Philip Herlihy
2024-06-23 20:23:00 UTC
Permalink
In article <***@news.eternal-september.org>, Philip
Herlihy wrote...
Post by Apd
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
Yes!
And they did. They hired a specialist, who reportedly found the malware and
removed it. :-)
--
Phil, London
Apd
2024-06-24 08:57:47 UTC
Permalink
Philip Herlihy wrote...
Post by Apd
Just tried now - it's still there. I don't think there's anything else
we can do. They should hire some competent IT staff!
Yes!
And they did. They hired a specialist, who reportedly found the malware
and removed it. :-)
Great stuff; and about time, too!

Arno Welzel
2024-06-03 07:03:08 UTC
Permalink
Post by Apd
[...]
Post by Philip Herlihy
Please watch an animation explaining your procedure before your pre-operative
assessment appointment www.explainmyprocedure.com/barts</div>
So I get the bogus page every couple of days, immediately after clicking that
link. An equivalent link (to another site) in the same email never triggers
the exploit. I guess the "first-time only" behaviour is part of concealment.
Yes. I've used curl to get headers only in the folowing tests and
changed https to hxxps to protect the click=happy. First time it
- - -
$> curl -I hxxps://www.explainmyprocedure.com/barts/
HTTP/1.1 302 Found
Server: nginx
Date: Wed, 29 May 2024 20:11:04 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
X-Redirect-By: WordPress
Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
[...]
Post by Apd
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
WordPress itself is quite robust nowadays and they have implemented
quite strict coding guidelines including code analysis using psalm years
ago.

However - plugins and themes are often not as secure and most likely it
is a hackable plugin causing the trouble here.
--
Arno Welzel
https://arnowelzel.de
Apd
2024-06-04 10:59:12 UTC
Permalink
Post by Arno Welzel
Post by Apd
They're using Wordprees on the site which is notorious for being
hacked and they need to fix whatever the vulnerability is. If they
WordPress itself is quite robust nowadays and they have implemented
quite strict coding guidelines including code analysis using psalm years
ago.
However - plugins and themes are often not as secure and most likely it
is a hackable plugin causing the trouble here.
I thought it might be. Anyway, I'll note they now appear to have fixed
the problem.
Loading...