GET /wiki/index.php?title=Williams_System_9_-_11 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Accept-Encoding: gzip, deflate
HTTP/1.1 200 OK
Date: Mon, 11 Nov 2019 15:51:14 GMT
Content-Type: text/html; charset=UTF-8
<META http-equiv="refresh" content="1;URL=http://pinside.com">
window.location = "http://pinside.com";
To the new location please
I edited the URL's in the response so that I don't pollute pinside with malware links. From the looks of how this is being done either the infection is in the mediawiki code or perhaps within the webserver configuration.
Additionally the fact that the infection seemed to slowly come back seems to indicate that perhaps there is a rootkit or other backdoor installed to allow access back to reinfect the site. I'm going to guess that the server was not nuked from orbit and data migrated. Really the best course of action when you're dealing with a known infection is to nuke it from orbit and start over.