(Topic ID: 208300)

pinwiki - web hosting problem

By smiley

3 years ago


Topic Heartbeat

Topic Stats

  • 280 posts
  • 81 Pinsiders participating
  • Latest reply 1 year ago by KerryImming
  • Topic is favorited by 17 Pinsiders

You

Linked Games

No games have been linked to this topic.

    Topic Gallery

    View topic image gallery

    pasted_image (resized).png
    Screenshot_20191227-212023 (resized).png
    wiki (resized).png
    pasted_image (resized).png
    Screenshot_20180322-181743 (resized).png
    Securi_Washing_Machine (resized).jpg

    There are 280 posts in this topic. You are on page 3 of 6.
    #101 1 year ago
    Quoted from PinWiz2180:

    Durzel, I was able to replicate based on your info you gave me earlier. I'm working on a few things related to it now.

    For what it’s worth you may well have already fixed it as I haven’t been able to reproduce it again with several browsers. I also ran it through some malware scanners too without problems.

    It could of course be dormant at the moment, the base64 point mentioned above is a good one. If it were me I’d be upgrading the wiki software to latest and running a file contents comparison against a known good directory tree.

    #102 1 year ago
    Quoted from ForceFlow:

    Try searching the php files for base64_encode() and base64_decode() functions. The last time I looked at an infected site, that's what was used to compact the malicious code and hide it with a similar browser agent detect function.
    [edit]: https://blog.resellerspanel.com/latest-news/how-to-quickly-fix-base64-infected-website.html

    Ooh, good find!

    #103 1 year ago
    Quoted from Durzel:

    What video? I haven’t posted a video...

    Sorry, sorry, I wasn't paying attention to the right post. Sorry.

    #104 1 year ago

    I think it may be squashed. No redirects here and I always get them.

    #105 1 year ago

    I *think* we have this squashed. Took a LOT of time reviewing files to make sure nothing was left over malicious. I can't find anything else lingering, and can't cause it to happen anymore. If anyone has it happen again, let me know immediately. Beefed up some security items while I was at it. Things seem to be back on track and running smooth. Appreciate the help from all. Especially on this one, as like I've said I struggled to replicate the problem for some reason on my daily setup, so getting detailed info from some of you guys helped me to SEE the problem.

    #106 1 year ago

    I just got hit. Safari. iphone SE

    #107 1 year ago

    everytime I go to this
    pinwiki.com › wiki › title=Bally › Stern_Electronics_Repair_Guides
    it takes me to this
    http://app6861.smmhck52.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd&f=1

    I have to left click on the arrow to go to cached to open.
    been doing it for the past few days that I know about. most other pages seem fine, its just the bally/stern part.

    #108 1 year ago

    I am being redirected on mobile only right now.

    Desktop (windows 10, Chrome browser) is going straight to the wiki if I use pinwiki.com or www.pinwiki.com

    Mobile (android 9, Chrome browser is being redirected to the: http://app6861.smmhck52.live link. It is redirecting both www.pinwiki.com and pinwiki.com

    #109 1 year ago

    Yep, it was fixed for a bit, but now I'm getting redirected again

    #110 1 year ago

    Pinwiki.com Works for me, iPad using safari.

    #111 1 year ago

    Im running OSX 10.13.6, and it appears to be working ok in Safari, but when I try to open the site in Firefox, I am getting re-directed. This is even after I have cleared my cashe.

    #112 1 year ago

    Windows 10, Firefox latest, redirected to a scam site :-/
    But it works fine with IE11.

    #113 1 year ago
    Quoted from hocuslocus:

    everytime I go to this
    pinwiki.com › wiki › title=Bally › Stern_Electronics_Repair_Guides
    it takes me to this
    http://app6861.smmhck52.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd&f=1
    I have to left click on the arrow to go to cached to open.
    been doing it for the past few days that I know about. most other pages seem fine, its just the bally/stern part.

    Same... I was ok, until I clicked https://www.pinwiki.com/wiki/index.php?title=Bally/Stern while navigating from the main page...

    Looking at the payload... this is certainly all server side. My clean HTTP GET to GET /wiki/index.php?title=Bally/Stern HTTP/1.1

    returned a body with

    <META http-equiv="refresh" content="1;URL=http://apps4509.nonamesrv97.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd">
    <script>
    window.location = "http://apps4509.nonamesrv97.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd";
    </script>
    </head>

    So it has to be something in the server or php code. There isn't any malicious js being fed to the client to change the requests/etc.

    #114 1 year ago

    Just got malware on mobile.

    Let me know if you need a hand fixing it. I do this stuff for a living.

    #115 1 year ago
    Quoted from radium:

    Just got malware on mobile.
    Let me know if you need a hand fixing it. I do this stuff for a living.

    I sent him a PM yesterday offering my help as well but I haven't heard back yet. While I don't specifically do malware remediation I am a DevOps/Systems Enginner (yes I know devops isn't really a job title but the industry has decided otherwise)

    #116 1 year ago

    yep, pinwiki is still down.

    #117 1 year ago

    Yup I just hit it going to the homepage.

    #118 1 year ago

    Yeah the infection is back full blown. I couldn't even load the page I was going to. Just forwarded me every time. I couldn't see anything in the console in chrome on where the forward was happening. I'm not very familiar with that console though. I'll poke around with some more advanced tools today.

    #119 1 year ago

    Request:


    GET /wiki/index.php?title=Williams_System_9_-_11 HTTP/1.1

    Host: www.pinwiki.com
    Connection: close
    DNT: 1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
    Sec-Fetch-User: ?1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9

    Response:


    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2019 15:51:14 GMT
    Server: nginx/1.17.3
    Content-Type: text/html; charset=UTF-8
    Content-Length: 575
    Vary: Accept-Encoding
    X-Server-Cache: true
    X-Proxy-Cache: HIT

    <html>
    <head>
    <META http-equiv="refresh" content="1;URL=http://pinside.com">

    <script>

    window.location = "http://pinside.com";

    </script>
    </head>
    <body>

    To the new location please
    <b>click here.</b>

    </body>
    </html>
    </code

    I edited the URL's in the response so that I don't pollute pinside with malware links. From the looks of how this is being done either the infection is in the mediawiki code or perhaps within the webserver configuration.

    Additionally the fact that the infection seemed to slowly come back seems to indicate that perhaps there is a rootkit or other backdoor installed to allow access back to reinfect the site. I'm going to guess that the server was not nuked from orbit and data migrated. Really the best course of action when you're dealing with a known infection is to nuke it from orbit and start over.

    #120 1 year ago

    Still happening. Is anyone working to resolve this?

    #121 1 year ago

    I just clicked on a link that appeared for the system 11 page in google, and got redirected.

    #122 1 year ago

    Won’t go to pinwiki anymore as I always get redirected.

    #123 1 year ago

    On one of my computers I'm logged in, and I can get to Pinwiki. If not logged in, I can't get there.

    You can do a Google search and look at cached pages. The Wayback Machine (archive.org) probably also works, haven't checked though.

    I hope Casey is working on this. As of now the site is pretty much worthless.

    Edit: You can also get to the site if you block scripting.

    #124 1 year ago

    Is there anything we can do to pitch in and help clean this up?

    #125 1 year ago

    Multiple people have offered their assistance, myself included. That was over a week ago. I never heard back. He hasn't even shown up in the thread to acknowledge he's aware and working on it.

    #126 1 year ago

    For those of you trying to visit the site but still having problems: I've been viewing the pages I need using the Internet Archive Wayback Machine and then saving them as PDFs to my computer.

    10
    #127 1 year ago

    Sorry, last 2 weeks I've had multiple personal emergencies come up, that have pulled me away from both PinWiki work as well as even making it on here to let you all know. Site is expected to be 100% inaccessible at some point this week as I seem to have found root cause of issue, but will require a full shut off of site for a day or two to get it taken care of. I appreciate the help offers (I have had 2 different cyber security/DevOps types offer to help). If I ran into another snafu after this go round, I will be in touch with you guys who offered.

    #128 1 year ago
    Quoted from PinWiz2180:

    Sorry, last 2 weeks I've had multiple personal emergencies come up, that have pulled me away from both PinWiki work as well as even making it on here to let you all know. Site is expected to be 100% inaccessible at some point this week as I seem to have found root cause of issue, but will require a full shut off of site for a day or two to get it taken care of. I appreciate the help offers (I have had 2 different cyber security/DevOps types offer to help). If I ran into another snafu after this go round, I will be in touch with you guys who offered.

    Good luck with the personal stuff. Pinwiki is a great resource for us, but take care of yourself first please!

    #129 1 year ago

    It appears the "Upload File" link has been removed. It must be temporarily disabled.

    #130 1 year ago

    Ken, I have uploads temporarily disabled, when I get things ironed out through this week, uploads will go back on. Sorry for the hassle.

    #131 1 year ago

    I have been adding information to the CAPCOM section today as well as correcting typos. As soon as the upload file feature is restored, I have some pictures to add to the Capcom section.

    #132 1 year ago
    Quoted from KenLayton:

    I have been adding information to the CAPCOM section today as well as correcting typos. As soon as the upload file feature is restored, I have some pictures to add to the Capcom section.

    Nice! I have a Capcom resetting issue that is not documented there yet.

    #133 1 year ago
    Quoted from PinWiz2180:

    Sorry, last 2 weeks I've had multiple personal emergencies come up, that have pulled me away from both PinWiki work as well as even making it on here to let you all know. Site is expected to be 100% inaccessible at some point this week as I seem to have found root cause of issue, but will require a full shut off of site for a day or two to get it taken care of. I appreciate the help offers (I have had 2 different cyber security/DevOps types offer to help). If I ran into another snafu after this go round, I will be in touch with you guys who offered.

    Thanks for your hard work! Pinwiki is a invaluable resource!!

    #134 1 year ago

    iPhone iOS 13.3

    Safari via pin wiki or google redirects for stern/bally link

    Chrome works

    Which I find odd as chrome on iOS is just a wrapper of safari

    1 week later
    #135 1 year ago

    I'm getting redirected and multiple pop ups when trying to access some parts of PinWiki.
    Samsung S10 using the Samsung browser.

    #136 1 year ago

    Same. Samsung S10 with chrome

    #137 1 year ago

    Yeah. Why is it the site is always hacked? Moto z force phone.

    How does this happen?

    #138 1 year ago
    Quoted from Friengineer:

    Yeah. Why is it the site is always hacked? Moto z force phone.
    How does this happen?

    Because Casey doesn’t fully understand what he is doing? He should have reached out for help a long time ago it sounds like from reading this thread.

    #139 1 year ago

    Bummer! Shame to lose this resource... Again. I better get to the Wayback machine.

    #140 1 year ago

    The annoying part is not knowing what sort of sh*t these sites have put on my phone.

    #141 1 year ago

    You can use archive.org’s “the Wayback Machine” to see point-in-time copies of many websites. Here’s a copy from March, which should be far enough back to avoid the cruft:

    https://web.archive.org/web/20180126191428/http://www.pinwiki.com/wiki/

    #142 1 year ago

    ... OOooor...
    just make sure the UR has "www." in front of the domain name.. I still use the site, just did this past weekend.

    #143 1 year ago
    Quoted from Coyote:

    ... OOooor...
    just make sure the UR has "www." in front of the domain name.. I still use the site, just did this past weekend.

    Doesn't always work for me

    #144 1 year ago
    Quoted from Coyote:

    ... OOooor...
    just make sure the UR has "www." in front of the domain name.. I still use the site, just did this past weekend.

    Ooooeeeee?
    That's a fine fix as well as the way back machine but we are a couple of farts away from 2020. There is no reason why a website should act like it's 2002.

    No offense to anyone especially the owner of the site. I appreciate your work but how can the pinball community help? Is it a problem with the code? Let's redesign the site. I care more about the info then the wiki look.

    Is it the fact anyone can edit the site? Let's shut that function down and come up with a submission process.

    What is the problem and what radical change needs to be made? Fuck my phone beeping and flashing when I look at the Sys80 info!

    #145 1 year ago
    Quoted from Friengineer:

    That's a fine fix as well as the way back machine but we are a couple of farts away from 2020. There is no reason why a website should act like it's 2002.

    I don't think that actually does anything. www or non-www doesn't seem to affect the malicious redirects. It might be based on the browser agent, referral, or cookie data, or some combination thereof.

    Quoted from Friengineer:

    Is it a problem with the code?

    I suspect there is malicious code embedded in some of the php files. It's a common method of infection and selective redirection so that some visitors get redirected and others do not. It's a way to stay hidden longer.

    These infections usually occur when there's a vulnerability in a website. Unfortunately, the wiki had not been updated in a while, so it's likely a malicious actor took advantage of an unpatched vulnerability and used that as a means to embed code into the site.

    The site was upgraded, and hopefully would have replaced the infected files, but this appeared not to be the case. So either there's still some infected files that were left in place (sometimes not all files need to be replaced during an upgrade), possibly some malicious code ended up in the database, possibly that malicious database code wrote itself back into the php files, or the site somehow got reinfected by other means.

    Without actually getting eyes on the source code or database, all I can do is speculate. It sounds like Casey received a few offers of help with cleaning out the infection--I'm not sure if that went anywhere yet or not since Casey's last post in the thread here.

    Quoted from Friengineer:

    Let's redesign the site. I care more about the info then the wiki look.

    A wiki is not a look. It's a type of website. It allows others to collaboratively edit the structure and content, and also logs the changes.

    Currently, a wiki is the best engine to use when multiple people are editing content on a single website, unlike with a blog where there is basically only one author.

    Quoted from Friengineer:

    Is it the fact anyone can edit the site? Let's shut that function down and come up with a submission process.

    No, only users with user accounts can edit, and those user accounts need to be approved manually.

    #146 1 year ago

    Sounds like they need to wipe the server and put a fresh wiki on, then import the old pages again or something.

    #147 1 year ago
    Quoted from zacaj:

    Sounds like they need to wipe the server and put a fresh wiki on, then import the old pages again or something.

    You would still need to go through the database, uploaded files, config files, template files, etc

    It's not quite as simple as that if you also want to retain all the data and avoid inadvertently copying over malicious code, which might be what happened during the upgrade.

    #148 1 year ago
    Quoted from ForceFlow:

    I don't think that actually does anything. www or non-www doesn't seem to affect the malicious redirects. It might be based on the browser agent, referral, or cookie data, or some combination thereof.

    As I've stated before, looking at the communication between client and server (being a wed devloper (NOT 'designer'), I have the tools), and no matter what page I hit, if the server name is "pinwiki.com", the HTML returns has a meta refresh pointing to a bad URL, and a <script> take with a location.refresh to the malicious URL.

    Whereas the "www.pinwiki.com" does not. These are not cached, I'm looking at the raw data transfer using Wireshark.

    Honestly, ya'll can do what you want - use the wayback machine, whatever. I've offered help numerous times to them, and never heard back. For when I need it, I just add the 'www'. It's a much easier process for me that going to a DIFFERENT website (archive) and typing in the name of the site.

    #149 1 year ago
    Quoted from Coyote:

    As I've stated before, looking at the communication between client and server (being a wed devloper (NOT 'designer'), I have the tools), and no matter what page I hit, if the server name is "pinwiki.com", the HTML returns has a meta refresh pointing to a bad URL, and a &lt;script&gt; take with a location.refresh to the malicious URL.
    Whereas the "www.pinwiki.com" does not. These are not cached, I'm looking at the raw data transfer using Wireshark.

    Shhhh..... Speculation is always better than facts!

    For people that are offering to help, go ahead and set up an unofficial mirror. And be sure to strip out the malicious code as you do it.

    #150 1 year ago
    Quoted from slochar:

    Shhhh..... Speculation is always better than facts!
    For people that are offering to help, go ahead and set up an unofficial mirror. And be sure to strip out the malicious code as you do it.

    "You may not, except with express written permission, distribute or commercially exploit the PinWiki.com content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system." (from https://www.pinwiki.com/wiki/index.php?title=PinWiki:Copyrights)

    There are 280 posts in this topic. You are on page 3 of 6.

    Hey there! Got a moment?

    Great to see you're enjoying Pinside! Did you know Pinside is able to run thanks to donations from our visitors? Please donate to Pinside, support the site and get anext to your username to show for it! Donate to Pinside