Request:
GET /wiki/index.php?title=Williams_System_9_-_11 HTTP/1.1
Host: www.pinwiki.com
Connection: close
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Response:
HTTP/1.1 200 OK
Date: Mon, 11 Nov 2019 15:51:14 GMT
Server: nginx/1.17.3
Content-Type: text/html; charset=UTF-8
Content-Length: 575
Vary: Accept-Encoding
X-Server-Cache: true
X-Proxy-Cache: HIT
<html>
<head>
<META http-equiv="refresh" content="1;URL=http://pinside.com">
<script>
window.location = "http://pinside.com";
</script>
</head>
<body>
To the new location please
<b>click here.</b>
</body>
</html>
</code
I edited the URL's in the response so that I don't pollute pinside with malware links. From the looks of how this is being done either the infection is in the mediawiki code or perhaps within the webserver configuration.
Additionally the fact that the infection seemed to slowly come back seems to indicate that perhaps there is a rootkit or other backdoor installed to allow access back to reinfect the site. I'm going to guess that the server was not nuked from orbit and data migrated. Really the best course of action when you're dealing with a known infection is to nuke it from orbit and start over.