You're currently viewing posts by Pinsider pinball_ric.
Click here to go back to viewing the entire thread.
Quoted from radium:Just got malware on mobile.
Let me know if you need a hand fixing it. I do this stuff for a living.
I sent him a PM yesterday offering my help as well but I haven't heard back yet. While I don't specifically do malware remediation I am a DevOps/Systems Enginner (yes I know devops isn't really a job title but the industry has decided otherwise)
Yeah the infection is back full blown. I couldn't even load the page I was going to. Just forwarded me every time. I couldn't see anything in the console in chrome on where the forward was happening. I'm not very familiar with that console though. I'll poke around with some more advanced tools today.
Request:
Host: www.pinwiki.com
Response:
<html>
<script> window.location = "http://pinside.com"; </script>
To the new location please
</body>
I edited the URL's in the response so that I don't pollute pinside with malware links. From the looks of how this is being done either the infection is in the mediawiki code or perhaps within the webserver configuration. Additionally the fact that the infection seemed to slowly come back seems to indicate that perhaps there is a rootkit or other backdoor installed to allow access back to reinfect the site. I'm going to guess that the server was not nuked from orbit and data migrated. Really the best course of action when you're dealing with a known infection is to nuke it from orbit and start over.
GET /wiki/index.php?title=Williams_System_9_-_11 HTTP/1.1
Connection: close
DNT: 1
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.97 Safari/537.36
Sec-Fetch-User: ?1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
HTTP/1.1 200 OK
Date: Mon, 11 Nov 2019 15:51:14 GMT
Server: nginx/1.17.3
Content-Type: text/html; charset=UTF-8
Content-Length: 575
Vary: Accept-Encoding
X-Server-Cache: true
X-Proxy-Cache: HIT
<head>
<META http-equiv="refresh" content="1;URL=http://pinside.com">
</head>
<body>
<b>click here.</b>
</html>
</code
Multiple people have offered their assistance, myself included. That was over a week ago. I never heard back. He hasn't even shown up in the thread to acknowledge he's aware and working on it.
It is not dns poisoning or hijacking. The server sends a redirect based on some condition we don't know. Either the web server config is compromised or the wiki code is. But the fact it keeps happening the server is probably got a rootkit on it. Best thing to do is reinstall and restore the database.
Quoted from ForceFlow:From the sounds of it, it appears that Casey has been offline for about a month.
Just as an FYI, the domain expires on 4/21/2020.
It likely has auto renewal turned on. Guess I'll add a reminder to my calendar just in case though.
Quoted from ChrisHibler:kenlayton, that won't have a bit of impact. No one makes money from PinWiki. Or at least I don't think anyone does.
I'm as frustrated as everyone else. Except that I'm NEVER redirected.
Right now, the upload image link isn't available and that is preventing me from adding the content that I would about every week. As I learn/fix things, I take a picture and upload the experience. I haven't been able to do that for quite some time.
I'm retiring from Boeing in about 1 month.
I've talked with some other principle authors about what to do about it.
Web servers and mediawiki aren't in my skill set right now...but I'm considering it. Cost is a consideration. I have no idea what it would cost to host the PinWiki. And, I have to get in contact with Casey to figure out how to transfer the (probably massive) database that is behind the Wiki.
tacshose, robin, Who owns the intellectual content of the Wiki? This is always a sticky question. When we started the Wiki, there was a LOT of discussion about how the license should read. We did what we did. Maybe that was good. Maybe that wasn't the best. I was, and still am, principally concerned with content and not legalese or making profit from the Wiki.
There ya go...I hope to get this resolved soon. Patience...
--
Chris Hibler - CARGPB #31
http://ChrisHiblerPinball.com/contact
http://www.PinWiki.com - The Place to go for Pinball Repair Info
I found out yesterday that the startup I was working for is closing up shop so I am job hunting and don't have to do anything IT related for the foreseeable future. I wasn't really in the mood to basically come home and do more work that I just did all day long. Now that I don't have to do that though I'm going to dive in and come up with a solution. I don't know when I'll start but it'll likely be sometime this weekend. I have some things I have to take care of before that.
You're currently viewing posts by Pinsider pinball_ric.
Click here to go back to viewing the entire thread.
Wanna join the discussion? Please sign in to reply to this topic.
Great to see you're enjoying Pinside! Did you know Pinside is able to run without any 3rd-party banners or ads, thanks to the support from our visitors? Please consider a donation to Pinside and get anext to your username to show for it! Or better yet, subscribe to Pinside+!
This page was printed from https://pinside.com/pinball/forum/topic/pinwiki-1?tu=pinball_ric and we tried optimising it for printing. Some page elements may have been deliberately hidden.
Scan the QR code on the left to jump to the URL this document was printed from.
Cedar Park, TX