Subj : LCBO breech
To   : Nick Andre
From : August Abolins
Date : Mon Jan 16 2023 14:57:00

Hello Nick!

 NA> I have a customer with a Wordpress site that had similar problems. Oh
 NA> what a freaking nightmare that was... in the end I had to completely
 NA> disable all plugins and widgets until the culprit was found.

My approach with WP is to turn off outside access first. Just  
park a landing page with an "offline/maintenance" comment or  
something.

Then, it is pretty straight forward to walk through the  
directory tree to look for rogue .php files.

Although php injections are common, they can't avoid several  
things from being spotted.


 NA> Not saying the LCBO site was built on it but I find as time goes on,
 NA> websites tend to be designed around a framework of some kind rather than
 NA> HTML from scratch...  and very little attention is given to security of
 NA> that framework.

I had one particiular site that was purely HTML, but it *still*  
had rogue <script></script> and php content inserted and that  
actually was triggered and active.  The hosting service said  
that it can still happen over shared domain space; when one  
client is infected the hack can traverse to other domains on  
the same server.  It hasn't happened a 2nd time since I brought  
it to their attention.

lcbo.com doesn't bear the code markings of a WP site. But I  
notice that places like Indigo and CanadianTire have  
surrendered to Shopify; that's probably fits into the kind of  
framework you're taking about.  Hack one Shopify site, hack  
them all.
--
  ../|ug

--- OpenXP 5.0.51
 * Origin: A turtle that surfs the dark web. [o] A TORtoise (2:221/1.58)

.