I think this might be part of the problem LCBO.com is
experiencing:

<small class="copyright"><span>Copyright c 2022 LCBO. All
rights reserved.</span></small></div><script type="text/ javascript">window.NREUM||(NREUM={});NREUM.info={"beacon":"bam. nr-data.net","licenseKey":"NRJS- 8e25409fe505fc54578","applicationID":"972652360","transactionNa me":"NQFRZBNVCkQFVkxeXgxLclMVXQtZS1ZVRB4LCldVGRsNWQBQQA==","que ueTime":0,"applicationTime":1927,"atts":"GUZSEltPGUo=","errorBe acon":"bam.nr-data.net","agent":""}</script></body></html>

"https://info.greatis.com > howto > remove-bam-nr-data-net.htm
How to Remove "BAM.NR-DATA.NET" Virus (PUP.Adware.NR-DATA)
COMPLETELY ... BAM.NR-DATA.NET is classified as PUP.Adware.NR-
DATA . Browser Hijacker is a type of MALWARE, that is designed
to change your browser's settings. You may experience any of
the following behaviors: your search is getting redirected to
different websites, your homepage or search engine is changed
without your permission, etc.

I'm surprised that LCBO doesn't shut down the site completely
until all suspect issues are resolved.

--
../|ug

--- OpenXP 5.0.51
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)

On 16 Jan 23 09:56:00, August Abolins said the following to All:

I think this might be part of the problem LCBO.com is
experiencing:

I have a customer with a Wordpress site that had similar problems. Oh what
a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (1:229/426)

Hello Nick!

I have a customer with a Wordpress site that had similar problems. Oh
what a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

My approach with WP is to turn off outside access first. Just
park a landing page with an "offline/maintenance" comment or
something.

Then, it is pretty straight forward to walk through the
directory tree to look for rogue .php files.

Although php injections are common, they can't avoid several
things from being spotted.

Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

I had one particiular site that was purely HTML, but it *still*
had rogue <script></script> and php content inserted and that
actually was triggered and active. The hosting service said
that it can still happen over shared domain space; when one
client is infected the hack can traverse to other domains on
the same server. It hasn't happened a 2nd time since I brought
it to their attention.

lcbo.com doesn't bear the code markings of a WP site. But I
notice that places like Indigo and CanadianTire have
surrendered to Shopify; that's probably fits into the kind of
framework you're taking about. Hack one Shopify site, hack
them all.
--
../|ug

--- OpenXP 5.0.51
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)

On 16 Jan 23 14:57:00, August Abolins said the following to Nick Andre:

I have a customer with a Wordpress site that had similar problems. Oh what a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

My approach with WP is to turn off outside access first. Just
park a landing page with an "offline/maintenance" comment or
something.

Long story short, this was a problem I inherited long ago because the company considered the website to be a techie-thing, therefore techie-things are IT department things no matter what. The company tried to save money by hiring a relative who in turn outsourced the coding of the site to India. The company also hired a young guy as their social-media/website marketing "expert" who
in turn loaded that poor website with all kinds of plugin and widget crapola.

One of a few plugins was hacked, which in turned caused malicious code injected everywhere, on every stinkin' PHP file, and the only way to fix this was to shut off every plugin, manually clean the PHP files and SQL, secure the Linux Apache install it was deployed on... and a hefty invoice for my time.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (1:229/426)

Hello Nick!

[...] and a hefty invoice for my time.

Sweet. Wish I could do that with the sites that I manage. Most
of mine are charities or non-profits or retired folks.

--
../|ug

--- OpenXP 5.0.51
* Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)

On 16 Jan 23 18:59:00, August Abolins said the following to Nick Andre:

[...] and a hefty invoice for my time.

Sweet. Wish I could do that with the sites that I manage. Most
of mine are charities or non-profits or retired folks.

I've been very fortunate to of built up enough part time remote-work / the work-from-home stuff that my current full time office gig is my "spending money". I was working via VPN, SSH, RDP etc for awhile before the pandemic.

I've largely stopped website work years ago and always focused more on system administration and some niche stuff.

Just happened to be in the right time, right places.

Nick

--- Renegade vY2Ka2
* Origin: Joey, do you like movies about gladiators? (1:229/426)