It's been like this for a while, at least a year, but had previously been set up so that it would redirect randomly (or targeted), but if you revisited the URL it would show you the correct page. I kept forgetting to report it after getting lost in whatever I went there to read in the first place, but I knew it wasn't anything wrong with my browser.

Now the malware is just going balls out and redirecting everyone.

You'd be better off taking the website offline while you fix it in my opinion, or at least making it inaccessible without a password or whatever. Google will start penalising your rankings if it hasn't already.

I was when I posted three hours ago. I just tried it again now and it appears to work, at least for the page I was trying to go to originally - https://www.pinwiki.com/wiki/index.php?title=Williams_WPC

Scratch that, it's stlll redirecting.

Yeah it's still redirecting for me. Think I just had a one off where the malware which is obviously in total control of the website allowed me to view the page I actually wanted to see.

Tried it in a private browser window (so no cache) with the same results.

As mentioned before there is clearly some code involved that is checking the browser user-agent to avoid showing the malware code all of the time. It could also be redirecting at certain times of the day and/or a certain number of times before going dormant for a while, etc.

I have alternately been able to access the wiki and at other times been redirected every time.

The problem is - if the malware is deeply embedded in the PHP code then it will be deciding when to show itself and when not to, so a scan of the HTML source code might not necessarily reveal anything.

You would need to do some analysis of the actual files on the server to ascertain what has been changed, etc from the default wiki files.

I’m not the only person this is happening to.

I know it’s got nothing to do with www vs non-www. The video above shows it happening going via a Google link (which is www).

I also have a video of me using incognito mode (so no cache, no cookies) and the same thing happening.

It’s got nothing to do with DNS, unless the guys DNS has been hacked and is pointing somewhere completely different, it’s compromised website code that does a META refresh on load.

The above said, it hasn’t done it the last few times I’ve tried it, but it also worked for a while earlier too.

What video? I haven’t posted a video...

I have a video on my work computer of me opening an incognito browser, typing in (well, copy and pasting) https://www.pinwiki.com/wiki/index.php?title=General#General_Illumination, landing on the page and immediately getting redirected to a dodgy website which my work malware scanner blocks, similar to the video above that goes via a Google search.

Don’t really know what to tell you tbh, I know how this stuff works as I do it for a living.

Notwithstanding any of that, www or lack thereof makes no difference whatsoever since it’s not a DNS level hijack, it’s a meta refresh on the website. https://pinwiki.com 301 (permanent) redirects to https://www.pinwiki.com in any event.

For what it’s worth you may well have already fixed it as I haven’t been able to reproduce it again with several browsers. I also ran it through some malware scanners too without problems.

It could of course be dormant at the moment, the base64 point mentioned above is a good one. If it were me I’d be upgrading the wiki software to latest and running a file contents comparison against a known good directory tree.

Yup I just hit it going to the homepage.

People with IT skills have offered to help, for free, but there doesn’t appear to be any real impetus to get it fixed. A shame really.

It could easily be code buried in the wiki itself (the database). Just checking the website files won’t be enough.

As has been said before this stuff is clever enough not to present itself the same way every time, so people start thinking that esoteric stuff (user agents, www vs non-www, etc) solves it, when all it does is complicate diagnosis.

It’s been said before but these things are specifically written to go dormant, hide themselves from certain entities, and behave in what might appear erratically to frustrate debugging and full removal.

People end up coming up with all kinds of well intentioned nonsense (no offence) like saying it’s fixed if you visit the website “without www” or typing pinwiki.com in at no faster than 1 character per second etc.

In reality once a website has been owned you can’t really trust any of the code. It needs to be forensically examined and compared against known good code. The compromise could exist in the website files, the database or even the server itself, or all three. The code could be written in such a way that it can reinfect the system if it detects it has been partially removed. Once a system is tainted it can be hard to safely restore confidence without rebuilding from scratch.

The links on Google show as a "www.pinwiki.com" link at the bottom, but they're actually a Google link that ultimately takes you there - that's how Google tracks clickthroughs, etc. These redirect pretty reliably to a dodgy website.

I just went to www.pinwiki.comdirectly (typing that in) and DIDN'T get redirected, but when I tried to find an article I'd already searched for on Google - but I can't click the link because it'll take me to a dodgy website - I get this instead:

Fatal error: Namespace declaration statement has to be the very first statement or after any declare call in the script in /home4/pinwiki/public_html/wiki/includes/widget/search/DidYouMeanWidget.php on line 3

..so even the search isn't working properly, so I have no idea how I'm supposed to find the page I need.

I'm honestly staggered as to why there seems to be no desire or impetus to get this sorted out. Plenty of people have offered their services for gratis. Pinwiki is a great resource but it is rapidly losing credibility the longer this goes on.