• LCBO breech

    From August Abolins@2:221/1.58 to All on Monday, January 16, 2023 09:56:00
    I think this might be part of the problem LCBO.com is
    experiencing:

    <small class="copyright"><span>Copyright c 2022 LCBO. All
    rights reserved.</span></small></div><script type="text/ javascript">window.NREUM||(NREUM={});NREUM.info={"beacon":"bam. nr-data.net","licenseKey":"NRJS- 8e25409fe505fc54578","applicationID":"972652360","transactionNa me":"NQFRZBNVCkQFVkxeXgxLclMVXQtZS1ZVRB4LCldVGRsNWQBQQA==","que ueTime":0,"applicationTime":1927,"atts":"GUZSEltPGUo=","errorBe acon":"bam.nr-data.net","agent":""}</script></body></html>

    "https://info.greatis.com > howto > remove-bam-nr-data-net.htm
    How to Remove "BAM.NR-DATA.NET" Virus (PUP.Adware.NR-DATA)
    COMPLETELY ... BAM.NR-DATA.NET is classified as PUP.Adware.NR-
    DATA . Browser Hijacker is a type of MALWARE, that is designed
    to change your browser's settings. You may experience any of
    the following behaviors: your search is getting redirected to
    different websites, your homepage or search engine is changed
    without your permission, etc.

    I'm surprised that LCBO doesn't shut down the site completely
    until all suspect issues are resolved.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)
  • From Nick Andre@1:229/426 to August Abolins on Monday, January 16, 2023 10:34:39
    On 16 Jan 23 09:56:00, August Abolins said the following to All:

    I think this might be part of the problem LCBO.com is
    experiencing:

    I have a customer with a Wordpress site that had similar problems. Oh what
    a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

    Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From August Abolins@2:221/1.58 to Nick Andre on Monday, January 16, 2023 14:57:00
    Hello Nick!

    I have a customer with a Wordpress site that had similar problems. Oh
    what a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

    My approach with WP is to turn off outside access first. Just
    park a landing page with an "offline/maintenance" comment or
    something.

    Then, it is pretty straight forward to walk through the
    directory tree to look for rogue .php files.

    Although php injections are common, they can't avoid several
    things from being spotted.


    Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

    I had one particiular site that was purely HTML, but it *still*
    had rogue <script></script> and php content inserted and that
    actually was triggered and active. The hosting service said
    that it can still happen over shared domain space; when one
    client is infected the hack can traverse to other domains on
    the same server. It hasn't happened a 2nd time since I brought
    it to their attention.

    lcbo.com doesn't bear the code markings of a WP site. But I
    notice that places like Indigo and CanadianTire have
    surrendered to Shopify; that's probably fits into the kind of
    framework you're taking about. Hack one Shopify site, hack
    them all.
    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)