• LCBO breech

    From August Abolins@2:221/1.58 to All on Mon Jan 16 09:56:00 2023
    I think this might be part of the problem LCBO.com is
    experiencing:

    <small class="copyright"><span>Copyright c 2022 LCBO. All
    rights reserved.</span></small></div><script type="text/ javascript">window.NREUM||(NREUM={});NREUM.info={"beacon":"bam. nr-data.net","licenseKey":"NRJS- 8e25409fe505fc54578","applicationID":"972652360","transactionNa me":"NQFRZBNVCkQFVkxeXgxLclMVXQtZS1ZVRB4LCldVGRsNWQBQQA==","que ueTime":0,"applicationTime":1927,"atts":"GUZSEltPGUo=","errorBe acon":"bam.nr-data.net","agent":""}</script></body></html>

    "https://info.greatis.com > howto > remove-bam-nr-data-net.htm
    How to Remove "BAM.NR-DATA.NET" Virus (PUP.Adware.NR-DATA)
    COMPLETELY ... BAM.NR-DATA.NET is classified as PUP.Adware.NR-
    DATA . Browser Hijacker is a type of MALWARE, that is designed
    to change your browser's settings. You may experience any of
    the following behaviors: your search is getting redirected to
    different websites, your homepage or search engine is changed
    without your permission, etc.

    I'm surprised that LCBO doesn't shut down the site completely
    until all suspect issues are resolved.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)
  • From Nick Andre@1:229/426 to August Abolins on Mon Jan 16 10:34:39 2023
    On 16 Jan 23 09:56:00, August Abolins said the following to All:

    I think this might be part of the problem LCBO.com is
    experiencing:

    I have a customer with a Wordpress site that had similar problems. Oh what
    a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

    Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From August Abolins@2:221/1.58 to Nick Andre on Mon Jan 16 14:57:00 2023
    Hello Nick!

    I have a customer with a Wordpress site that had similar problems. Oh
    what a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

    My approach with WP is to turn off outside access first. Just
    park a landing page with an "offline/maintenance" comment or
    something.

    Then, it is pretty straight forward to walk through the
    directory tree to look for rogue .php files.

    Although php injections are common, they can't avoid several
    things from being spotted.


    Not saying the LCBO site was built on it but I find as time goes on, websites tend to be designed around a framework of some kind rather than HTML from scratch... and very little attention is given to security of that framework.

    I had one particiular site that was purely HTML, but it *still*
    had rogue <script></script> and php content inserted and that
    actually was triggered and active. The hosting service said
    that it can still happen over shared domain space; when one
    client is infected the hack can traverse to other domains on
    the same server. It hasn't happened a 2nd time since I brought
    it to their attention.

    lcbo.com doesn't bear the code markings of a WP site. But I
    notice that places like Indigo and CanadianTire have
    surrendered to Shopify; that's probably fits into the kind of
    framework you're taking about. Hack one Shopify site, hack
    them all.
    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)
  • From Nick Andre@1:229/426 to August Abolins on Mon Jan 16 16:29:56 2023
    On 16 Jan 23 14:57:00, August Abolins said the following to Nick Andre:

    I have a customer with a Wordpress site that had similar problems. Oh what a freaking nightmare that was... in the end I had to completely disable all plugins and widgets until the culprit was found.

    My approach with WP is to turn off outside access first. Just
    park a landing page with an "offline/maintenance" comment or
    something.

    Long story short, this was a problem I inherited long ago because the company considered the website to be a techie-thing, therefore techie-things are IT department things no matter what. The company tried to save money by hiring a relative who in turn outsourced the coding of the site to India. The company also hired a young guy as their social-media/website marketing "expert" who
    in turn loaded that poor website with all kinds of plugin and widget crapola.

    One of a few plugins was hacked, which in turned caused malicious code injected everywhere, on every stinkin' PHP file, and the only way to fix this was to shut off every plugin, manually clean the PHP files and SQL, secure the Linux Apache install it was deployed on... and a hefty invoice for my time.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)
  • From August Abolins@2:221/1.58 to Nick Andre on Mon Jan 16 18:59:00 2023
    Hello Nick!

    [...] and a hefty invoice for my time.

    Sweet. Wish I could do that with the sites that I manage. Most
    of mine are charities or non-profits or retired folks.

    --
    ../|ug

    --- OpenXP 5.0.51
    * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)
  • From Nick Andre@1:229/426 to August Abolins on Tue Jan 17 14:33:13 2023
    On 16 Jan 23 18:59:00, August Abolins said the following to Nick Andre:

    [...] and a hefty invoice for my time.

    Sweet. Wish I could do that with the sites that I manage. Most
    of mine are charities or non-profits or retired folks.

    I've been very fortunate to of built up enough part time remote-work / the work-from-home stuff that my current full time office gig is my "spending money". I was working via VPN, SSH, RDP etc for awhile before the pandemic.

    I've largely stopped website work years ago and always focused more on system administration and some niche stuff.

    Just happened to be in the right time, right places.

    Nick

    --- Renegade vY2Ka2
    * Origin: Joey, do you like movies about gladiators? (1:229/426)