(Topic ID: 208300)

pinwiki - web hosting problem


By smiley

1 year ago



Topic Stats

  • 119 posts
  • 46 Pinsiders participating
  • Latest reply 1 day ago by pinball_ric
  • Topic is favorited by 8 Pinsiders

You

Linked Games

No games have been linked to this topic.

    Topic Gallery

    There have been 4 images uploaded to this topic. (View topic image gallery).

    wiki (resized).png
    pasted_image (resized).png
    Screenshot_20180322-181743 (resized).png
    Securi_Washing_Machine (resized).jpg

    There are 119 posts in this topic. You are on page 3 of 3.
    #101 6 days ago
    Quoted from PinWiz2180:

    Durzel, I was able to replicate based on your info you gave me earlier. I'm working on a few things related to it now.

    For what it’s worth you may well have already fixed it as I haven’t been able to reproduce it again with several browsers. I also ran it through some malware scanners too without problems.

    It could of course be dormant at the moment, the base64 point mentioned above is a good one. If it were me I’d be upgrading the wiki software to latest and running a file contents comparison against a known good directory tree.

    #102 6 days ago
    Quoted from ForceFlow:

    Try searching the php files for base64_encode() and base64_decode() functions. The last time I looked at an infected site, that's what was used to compact the malicious code and hide it with a similar browser agent detect function.
    [edit]: https://blog.resellerspanel.com/latest-news/how-to-quickly-fix-base64-infected-website.html

    Ooh, good find!

    #103 6 days ago
    Quoted from Durzel:

    What video? I haven’t posted a video...

    Sorry, sorry, I wasn't paying attention to the right post. Sorry.

    #104 6 days ago

    I think it may be squashed. No redirects here and I always get them.

    #105 4 days ago

    I *think* we have this squashed. Took a LOT of time reviewing files to make sure nothing was left over malicious. I can't find anything else lingering, and can't cause it to happen anymore. If anyone has it happen again, let me know immediately. Beefed up some security items while I was at it. Things seem to be back on track and running smooth. Appreciate the help from all. Especially on this one, as like I've said I struggled to replicate the problem for some reason on my daily setup, so getting detailed info from some of you guys helped me to SEE the problem.

    #106 3 days ago

    I just got hit. Safari. iphone SE

    #107 3 days ago

    everytime I go to this
    pinwiki.com › wiki › title=Bally › Stern_Electronics_Repair_Guides
    it takes me to this
    http://app6861.smmhck52.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd&f=1

    I have to left click on the arrow to go to cached to open.
    been doing it for the past few days that I know about. most other pages seem fine, its just the bally/stern part.

    #108 3 days ago

    I am being redirected on mobile only right now.

    Desktop (windows 10, Chrome browser) is going straight to the wiki if I use pinwiki.com or www.pinwiki.com

    Mobile (android 9, Chrome browser is being redirected to the: http://app6861.smmhck52.live link. It is redirecting both www.pinwiki.com and pinwiki.com

    #109 3 days ago

    Yep, it was fixed for a bit, but now I'm getting redirected again

    #110 3 days ago

    Pinwiki.com Works for me, iPad using safari.

    #111 3 days ago

    Im running OSX 10.13.6, and it appears to be working ok in Safari, but when I try to open the site in Firefox, I am getting re-directed. This is even after I have cleared my cashe.

    #112 3 days ago

    Windows 10, Firefox latest, redirected to a scam site :-/
    But it works fine with IE11.

    #113 3 days ago
    Quoted from hocuslocus:

    everytime I go to this
    pinwiki.com › wiki › title=Bally › Stern_Electronics_Repair_Guides
    it takes me to this
    http://app6861.smmhck52.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd&f=1
    I have to left click on the arrow to go to cached to open.
    been doing it for the past few days that I know about. most other pages seem fine, its just the bally/stern part.

    Same... I was ok, until I clicked https://www.pinwiki.com/wiki/index.php?title=Bally/Stern while navigating from the main page...

    Looking at the payload... this is certainly all server side. My clean HTTP GET to GET /wiki/index.php?title=Bally/Stern HTTP/1.1

    returned a body with

    <META http-equiv="refresh" content="1;URL=http://apps4509.nonamesrv97.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd">
    <script>
    window.location = "http://apps4509.nonamesrv97.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd";
    </script>
    </head>

    So it has to be something in the server or php code. There isn't any malicious js being fed to the client to change the requests/etc.

    #114 2 days ago

    Just got malware on mobile.

    Let me know if you need a hand fixing it. I do this stuff for a living.

    #115 2 days ago
    Quoted from radium:

    Just got malware on mobile.
    Let me know if you need a hand fixing it. I do this stuff for a living.

    I sent him a PM yesterday offering my help as well but I haven't heard back yet. While I don't specifically do malware remediation I am a DevOps/Systems Enginner (yes I know devops isn't really a job title but the industry has decided otherwise)

    #116 2 days ago

    yep, pinwiki is still down.

    #117 1 day ago

    Yup I just hit it going to the homepage.

    #118 1 day ago

    Yeah the infection is back full blown. I couldn't even load the page I was going to. Just forwarded me every time. I couldn't see anything in the console in chrome on where the forward was happening. I'm not very familiar with that console though. I'll poke around with some more advanced tools today.

    #119 1 day ago

    Request:


    GET /wiki/index.php?title=Williams_System_9_-_11 HTTP/1.1

    Host: www.pinwiki.com
    Connection: close
    DNT: 1
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
    Sec-Fetch-User: ?1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
    Sec-Fetch-Site: none
    Sec-Fetch-Mode: navigate
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9

    Response:


    HTTP/1.1 200 OK
    Date: Mon, 11 Nov 2019 15:51:14 GMT
    Server: nginx/1.17.3
    Content-Type: text/html; charset=UTF-8
    Content-Length: 575
    Vary: Accept-Encoding
    X-Server-Cache: true
    X-Proxy-Cache: HIT

    <html>
    <head>
    <META http-equiv="refresh" content="1;URL=http://pinside.com">

    <script>

    window.location = "http://pinside.com";

    </script>
    </head>
    <body>

    To the new location please
    <b>click here.</b>

    </body>
    </html>
    </code

    I edited the URL's in the response so that I don't pollute pinside with malware links. From the looks of how this is being done either the infection is in the mediawiki code or perhaps within the webserver configuration.

    Additionally the fact that the infection seemed to slowly come back seems to indicate that perhaps there is a rootkit or other backdoor installed to allow access back to reinfect the site. I'm going to guess that the server was not nuked from orbit and data migrated. Really the best course of action when you're dealing with a known infection is to nuke it from orbit and start over.

    Promoted items from the Pinside Marketplace
    $ 19.95
    $ 5,799.00
    Pinball Machine
    Classic Game Rooms
    $ 48.00
    Cabinet - Other
    ModFather Pinball Mods
    € 60.00
    Playfield - Toys/Add-ons
    YOYOKOPTER MODS
    $ 44.95
    Playfield - Toys/Add-ons
    PinBoss Mods
    $ 369.00
    Cabinet - Decals
    Mircoplayfields
    € 4.95
    Playfield - Toys/Add-ons
    Multigame
    £ 32.00
    From: $ 9.99
    Eproms
    Matt's Basement Arcade
    $ 86.95
    Cabinet - Shooter Rods
    Super Skill Shot Shop
    $ 4.00
    Electronics
    Z-connector (24 pin) Out of stock
    Professor Pinball
    $ 265.00
    $ 39.95
    Playfield - Other
    PinBoss Mods
    $ 159.99
    Lighting - Other
    Lighted Pinball Mods
    $ 7,499.00
    Pinball Machine
    Flip N Out Pinball
    $ 89.99
    Playfield - Toys/Add-ons
    Lighted Pinball Mods
    $ 14.95
    $ 23.00
    Cabinet - Shooter Rods
    The MOD Couple
    From: $ 48.00
    Playfield - Toys/Add-ons
    PinWorlds
    $ 159.99
    Lighting - Other
    Lighted Pinball Mods
    $ 30.00
    Playfield - Other
    Filament Printing
    $ 29.04
    Playfield - Plastics
    F14 Tomcat Slingshots Out of stock
    Pinball-Mods.com
    There are 119 posts in this topic. You are on page 3 of 3.

    Hey there! Got a moment?

    Great to see you're enjoying Pinside! Did you know Pinside is able to run thanks to donations from our visitors? Please donate to Pinside, support the site and get anext to your username to show for it! Donate to Pinside