I think this might be part of the problem LCBO.com is
experiencing:

<small class="copyright"><span>Copyright c 2022 LCBO. All
rights reserved.</span></small></div><script type="text/ javascript">window.NREUM||(NREUM={});NREUM.info={"beacon":"bam. nr-data.net","licenseKey":"NRJS- 8e25409fe505fc54578","applicationID":"972652360","transactionNa me":"NQFRZBNVCkQFVkxeXgxLclMVXQtZS1ZVRB4LCldVGRsNWQBQQA==","que ueTime":0,"applicationTime":1927,"atts":"GUZSEltPGUo=","errorBe acon":"bam.nr-data.net","agent":""}</script></body></html>

"https://info.greatis.com > howto > remove-bam-nr-data-net.htm
How to Remove "BAM.NR-DATA.NET" Virus (PUP.Adware.NR-DATA)
COMPLETELY ... BAM.NR-DATA.NET is classified as PUP.Adware.NR-
DATA . Browser Hijacker is a type of MALWARE, that is designed
to change your browser's settings. You may experience any of
the following behaviors: your search is getting redirected to
different websites, your homepage or search engine is changed
without your permission, etc.

I'm surprised that LCBO doesn't shut down the site completely
until all suspect issues are resolved.

--
../|ug

--- OpenXP 5.0.51
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)

On 16 Jan 23 09:56:00, August Abolins said the following to All:

I think this might be part of the problem LCBO.com is
experiencing:

I have a customer with a Wordpress site that had similar problems. Oh what
a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (1:229/426)

Hello Nick!

I have a customer with a Wordpress site that had similar problems. Oh
what a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

My approach with WP is to turn off outside access first. Just
park a landing page with an "offline/maintenance" comment or
something.

Then, it is pretty straight forward to walk through the
directory tree to look for rogue .php files.

Although php injections are common, they can't avoid several
things from being spotted.

Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

I had one particiular site that was purely HTML, but it *still*
had rogue <script></script> and php content inserted and that
actually was triggered and active. The hosting service said
that it can still happen over shared domain space; when one
client is infected the hack can traverse to other domains on
the same server. It hasn't happened a 2nd time since I brought
it to their attention.

lcbo.com doesn't bear the code markings of a WP site. But I
notice that places like Indigo and CanadianTire have
surrendered to Shopify; that's probably fits into the kind of
framework you're taking about. Hack one Shopify site, hack
them all.
--
../|ug

--- OpenXP 5.0.51
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)