[edit]: looks like the search result links might be ok now. I tried visiting without adblock/tracking extensions, I tried on a mobile device, I tried fetching as a googlebot, and none were redirected to a malicious site.

Just tried it again. I get an instant hijack to a survey and winner of some BS.

I am still getting hijacked as well, same as one year ago.

ChrisHibler can you let them know something is up?

I just took a brief look at their site to see what was up, this is part of the problem:

pasted_image (resized).png

All of these are behind on versions that include security updates. There are dozens upon dozens of CVEs for PHP that old alone.

Thanks @wolfmarsh.
caseydanger .... Casey, please check this out.

If you start at the PinWiki home page, this isn't an issue. But if you google something that returns a PinWiki link, there seems to be an issue. Thanks for the heads up. I've never used Google to find anything in the Wiki. I always go right to the home page.
--
Chris Hibler - CARGPB #31
http://ChrisHiblerPinball.com/contact
http://www.PinWiki.com - The Place to go for Pinball Repair Info

This happens regardless of browser or ISP, and it's been going on for months.
I've finally captured this with video, and a proxy to show the requests. -sent details via email. If you don't see it, check your spam folder for [email protected] .

Anyone try Pinwiki recently?
I just tried and got a damn redirect!

Working fine for me.

Had a PM from Chris, if I used a google search and click THAT link, I WAS able to access but any other method and I get various re-directs.

I finally saw a redirect. It seems like it doesn't happen every time, but once in a while.

There's certainly been code injected to the site somewhere.

got the redirect earlier this morning myself. just checked now and working fine.

I saw Casey at Expo and talked to him about this.
—
Chris Hibler - CARGPB #31
Http://chrishiblerpinball.com/contact
http://www.PinWiki.com/ - The new place for pinball repair info

Pinwiki is redirecting me to a scam site this morning. Scam domain is hndry98.live

Same here.

This has been redirected via Google Search for a long time... different computers/browsers/ISPs.

If you google PinWiki and click the returned pinwiki.com links, you get redirected. (below screenshot from my Firefox)

But if you type in www.pinwiki.com (or use a full link like in Chris H's signature above), it goes to the correct site undisturbed.

wiki (resized).png

So his HTTP server's (NGINX) website for "pinwiki.com" was hacked and now redirects.
The actual site, "www.pinwiki.com" works fine.

SO, to all - just make sure you put a "www." in front, until he can fix it. (If he will?)

I'm being redirected after using the bookmark I've saved in Firefox. Google is not involved. This behavior is a change.
Virustotal did not return any malicious results for Pinwiki when I first checked but now (about an hour later) shows one. The scam domain returns a few.

Casey has been contacted, and stated that PinWiki will have down time this coming week, until he gets this sorted out.

Jim

Entering the URL directly does not work, your browser has probably cached the page. Here is the HTML script when I visit the site.


<html>
<head>
<META http-equiv="refresh" content="1;URL=http://game4648.hndry38.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd">
<script>
window.location = "http://game4648.hndry38.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd";
</script>
</head>
<body>
To the new location please
<b>click here.</b>
</body>
</html>

It does if you put in "www.pinwiki.com", and not just "pinwiki.com", which is what I said in my post you quoted.

What's odd is that it does it on our Windows 10 box, but none of our Linux machines.

Could be the malicious script checks for OS/user agent. If they only serve malware for Windows & Android they're less likely to be caught if they don't inject the script into a page on a Linux box.

Could be a cached issue, too - if the browser has 100% of the page completely cashed, and it requests the page form the server and dates match, it will terminate the connection and just used the cached page locally. (This is a simplied summary..) It's possible you WILL see it is you clear the browser's cache. I'm thinking.

It doesn't for Chromium based browsers on Linux evidently.

Compromised wikis serving malware often look at referrers and user agents. They don’t want the site owner to realize the site is compromised. Nor do they want search engines to detect malware.

Interesting - I remember a few years back I had a browser (on WIndows) that no matter WHAT address I entered in, it would AUTOMATICALLY add "www." to the beginning of it - which was a real PITA for FTP sites. (www.ftp.ngs.noaa.gov? ... that won't work.)

Anyways, that's good to know. Since I'm a web applications developer, I have special browsers that let me poke at the communication, and that's how I saw that.

Hey all. It's Casey. Long story short, a long while ago (I guess when this thread originally started?) there was compromise hit in the backend software that runs the wiki. Thought I had it fully cleaned up, turns out something got missed somewhere. I've also been behind on doing some upgrades (stability, security, and features). Took the time to take care of everything at once. This was no small feat, as the database for the wiki is BIG, and that doesn't include all the uploads. To make sure this was a CLEAN install with nothing lingering, the whole software side of things was from a fresh install.

With all of that going on, several changes have occurred. The most important one was getting off an older version of MediaWiki (the software behind the curtain). Honestly, I had been putting this off as the version we were running vs. the latest stable had multiple incompatibilities to work through preventing a direct upgrade path, but I was able to work through it. Secondly, we are now running a mobile native theme. If you are on desktop, you aren't going to notice a difference, but on mobile, things lay out a lot better for smaller screens. So far in testing, I have not had any issues, however I will call the mobile theming a "beta" experience at the moment until more people get digging into it. Lastly, we are now forcing HTTPS. We have supported it for over a year or so, but now we are defaulting to it. Last time I put a MediaWiki site onto HTTPS required, there were a few speed bumps in getting all extensions and even the base install to run 100%. With that said, on my test platforms, everything is now smoothly working. I have some more minor upgrades this week that are planned, mostly adding some extensions to increase functionality, speed of website, and add a few new features. Everything should be "complete" by November 10th. In the mean time, you may see messages on the site about it being "read-only" or down for an upgrade. 99% of the time if one of these situations are occurring then the index page will have a banner on it stating such. If there are no "warning" messages up, and you encounter an issue, that would be bad, so please let me know!

With all of this said, I do not normally frequent Pinside, but I will spend this week and next checking in on this thread to see if anyone has any further issues. If you find anything wrong, reply in this thread or PM me.

I do appreciate the heads up on the matter (shoutout to Chris Hibler and JT Amusements). PinWiki was started way back in 2011, and has grown way bigger than I ever expected it to. Its now nearly the end of 2019, and we have really lived up to our slogan, "THE place for everything pinball". As always, we run on the occasional donation, and mostly the money out of my own pocket as a hobby. I made a promise to the community 8 years ago that PinWiki was (and still is) here to stay, and that has not changed, and the pipeline has a few things in it to keep PinWiki growing. We greatly appreciate everyone who has contributed to the site (both in donations and in information).

I've been filling in information on American Pinball lately.

Ken, I have noticed that and GREATLY appreciate it! I personally am going to be trying to populate more information for some of the newer manufacturers as we can, but some of these games have been hard to track down locally to get the detailed information.

My buddy Welby Bergum bought a Houdini and I've been using that machine to help fill in more information in the American Pinball section. I must say, American Pinball really has great quality construction, good playfield parts, and they listen to us technicians in the field.

Thanks for the update and your efforts with hosting the site. It's been a valuable resource that I both use and contribute to frequently

While I'm thinking of it. Any features anyone is looking for on the wiki? Now is the time to speak while I'm playing with feature additions.

Also, no problem ForceFlow! I see your name regularly in the edits too. Greatly appreciated!

PinWiki performance and page load time should be SIGNIFICANTLY better now too. Spent some time optimizing the database and setting up some new items that help with page generation. Once again, if you find anything that doesn't seem to load right or anything of that nature, let me know. I did some extensive testing before pushing any of these updates to production, but it doesn't mean I didn't miss a minor detail anywhere.

It's been like this for a while, at least a year, but had previously been set up so that it would redirect randomly (or targeted), but if you revisited the URL it would show you the correct page. I kept forgetting to report it after getting lost in whatever I went there to read in the first place, but I knew it wasn't anything wrong with my browser.

Now the malware is just going balls out and redirecting everyone.

You'd be better off taking the website offline while you fix it in my opinion, or at least making it inaccessible without a password or whatever. Google will start penalising your rankings if it hasn't already.

Durzel, are you still experiencing this as of today?

I was when I posted three hours ago. I just tried it again now and it appears to work, at least for the page I was trying to go to originally - https://www.pinwiki.com/wiki/index.php?title=Williams_WPC

Scratch that, it's stlll redirecting.

I experience a redirect every time I visit the page on the first try. Close and try again in a new tab and it works.

Yeah it's still redirecting for me. Think I just had a one off where the malware which is obviously in total control of the website allowed me to view the page I actually wanted to see.

Tried it in a private browser window (so no cache) with the same results.

If you want some secondary hosting, send me a PM. I run the Pinball Makers Wiki so I’m already paying for hosting!

Just as I haven't been able to cause it on my end, can someone give me details of OS, browser, etc.? Really wanna get this squashed.

Also getting redirected when clicking a PinWiki link on Google. Now it redirects me every time, while earlier it would only redirect me once, then if I went back and clicked the link again it would go to PinWiki normally.

Firefox 70 on Windows 10 x64, Dutch

Thanks for the info, let me see what I can do.

In the past I had not had issue with direct queries to the site. But just trying now when I went to pinwiki.com I got a malicious redirect. If I goto www.pinwiki.com I do not.

This coming from a chrome osx browser.

ETA: It seems inconsistent... so I guess there is some conditional/randomness thrown in by the malicious code

As mentioned before there is clearly some code involved that is checking the browser user-agent to avoid showing the malware code all of the time. It could also be redirecting at certain times of the day and/or a certain number of times before going dormant for a while, etc.

I have alternately been able to access the wiki and at other times been redirected every time.

The problem is - if the malware is deeply embedded in the PHP code then it will be deciding when to show itself and when not to, so a scan of the HTML source code might not necessarily reveal anything.

You would need to do some analysis of the actual files on the server to ascertain what has been changed, etc from the default wiki files.

Are you checking it OUTSIDE of your local network? It seems to be a base addressing issue. (i.e. "pinwiki.com" vs "www.pinwiki.com" - which if you it that using your own DNS server or IP, may not be hitting the same code we all are.)

I’m not the only person this is happening to.

I know it’s got nothing to do with www vs non-www. The video above shows it happening going via a Google link (which is www).

I also have a video of me using incognito mode (so no cache, no cookies) and the same thing happening.

It’s got nothing to do with DNS, unless the guys DNS has been hacked and is pointing somewhere completely different, it’s compromised website code that does a META refresh on load.

The above said, it hasn’t done it the last few times I’ve tried it, but it also worked for a while earlier too.

Durzel, I was able to replicate based on your info you gave me earlier. I'm working on a few things related to it now.

Have to politely disagree, @durzel - in your video, under the link you click? It PLAINLY reads "pinwiki.com", not "www.pinwiki.com".

What video? I haven’t posted a video...

I have a video on my work computer of me opening an incognito browser, typing in (well, copy and pasting) https://www.pinwiki.com/wiki/index.php?title=General#General_Illumination, landing on the page and immediately getting redirected to a dodgy website which my work malware scanner blocks, similar to the video above that goes via a Google search.

Don’t really know what to tell you tbh, I know how this stuff works as I do it for a living.

Notwithstanding any of that, www or lack thereof makes no difference whatsoever since it’s not a DNS level hijack, it’s a meta refresh on the website. https://pinwiki.com 301 (permanent) redirects to https://www.pinwiki.com in any event.

Try searching the php files for base64_encode() and base64_decode() functions. The last time I looked at an infected site, that's what was used to compact the malicious code and hide it with a similar browser agent detect function.

[edit]: https://blog.resellerspanel.com/latest-news/how-to-quickly-fix-base64-infected-website.html