[FX.php List] [Off?] Monkey business?

Troy Meyers tcmeyers at troymeyers.com
Mon Oct 27 17:58:43 MDT 2008


I've been noticing in my web log that there have been quite a few GET requests which I'm guessing are in the form of:

http://mysite.com?http://www.cship.info/azenv.php
or possibly:
http://mysite.com/?http://www.cship.info/azenv.php

The "mysite.com" part is actually lab.troymeyers.com but I didn't want to encourage people to compound my problem by building a URL they could click on.

I'm not really sure that's really what's being sent, but here are all the different flavors of Apache log entry:

221.192.199.36 - - [01/Oct/2008:20:31:40 -0700] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 302 213

221.192.199.36 - - [01/Oct/2008:22:14:58 -0700] "GET http://www.internetsec.org/azenv.php HTTP/1.1" 302 221

221.192.199.36 - - [04/Oct/2008:16:12:44 -0700] "GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1" 302 226

221.192.199.36 - - [13/Oct/2008:03:47:00 -0700] "GET http://www.cship.info/azenv.php HTTP/1.1" 302 216

There are actually 57 of them, and yes, they are all from the same IP address 221.192.199.36 and they all mention a filename azenv.php, though in different domains and directories... and if you go to the address specified in any of them (try it), there's a real PHP file that just displays some basic server/client info.

Does anyone have any idea if this is a (failed?) attempt at hacking our site, or is it just a goof, or something else?

-Troy




More information about the FX.php_List mailing list