1. Forum
  2. Usenet
  3. COMP.INFO.WWW.AUTHORING.S

  • Re: Puzzling exploit

    From Apd@21:1/5 to Philip Herlihy on Wed May 29 23:18:12 2024
    XPost: comp.infosystems.www.authoring.html, comp.infosystems.www.authoring.misc

    "Philip Herlihy" wrote:
    [...]
    Please watch an animation explaining your procedure before your pre-operative assessment appointment www.explainmyprocedure.com/barts</div>

    So I get the bogus page every couple of days, immediately after clicking that link. An equivalent link (to another site) in the same email never triggers the exploit. I guess the "first-time only" behaviour is part of concealment.

    Yes. I've used curl to get headers only in the folowing tests and
    changed https to hxxps to protect the click=happy. First time it
    redirects like so:

    - - -
    curl -I hxxps://www.explainmyprocedure.com/barts/
    HTTP/1.1 302 Found
    Server: nginx
    Date: Wed, 29 May 2024 20:11:04 GMT
    Content-Type: text/html; charset=UTF-8
    Connection: keep-alive
    X-Redirect-By: WordPress
    Location: hxxps://qltuh.bellatrixmeissa.com/?pl=CHiI7Gh3GUyTa8XGgNqDyQ&click_id=cpbonm2jvq37q1dgt87g
    - - -

    That "bellatrixmeissa" domain link then redirects to check you're not
    a robot and gets scripts from other domains, ending up who knows where.

    The redirect on subsequent tries goes to what I presume is the correct
    place, a login screen:

    - - -
    ...
    ...
    X-Redirect-By: WordPress
    Location: hxxps://www.explainmyprocedure.com/barts?password-protected=login&[...etc.]
    - - -

    I've reported it to the site owners who have apparently scanned and scanned, yet it's still there. Any ideas on where to look? Is there such a thing as a DNS exploit these days, for example?

    They're using Wordprees on the site which is notorious for being
    hacked and they need to fix whatever the vulnerability is. If they
    look at their WP code for the "wp_redirect" function or what calls it
    they should find the malicious code: <https://developer.wordpress.org/reference/functions/wp_redirect/>

    I'm presuming "explainmyprocedure.com" is a legitimate site to get
    info from Barts hospital, assuming the email really came from them.

    (removed comp.infosystems.www.authoring.stylesheets from followups)

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)