[FX.php List] [Off?] Monkey business?
Troy Meyers
tcmeyers at troymeyers.com
Mon Oct 27 17:58:43 MDT 2008
I've been noticing in my web log that there have been quite a few GET requests which I'm guessing are in the form of:
http://mysite.com?http://www.cship.info/azenv.php
or possibly:
http://mysite.com/?http://www.cship.info/azenv.php
The "mysite.com" part is actually lab.troymeyers.com but I didn't want to encourage people to compound my problem by building a URL they could click on.
I'm not really sure that's really what's being sent, but here are all the different flavors of Apache log entry:
221.192.199.36 - - [01/Oct/2008:20:31:40 -0700] "GET http://sevy.eu.org/azenv.php HTTP/1.1" 302 213
221.192.199.36 - - [01/Oct/2008:22:14:58 -0700] "GET http://www.internetsec.org/azenv.php HTTP/1.1" 302 221
221.192.199.36 - - [04/Oct/2008:16:12:44 -0700] "GET http://scifi.pages.at/myproxies/azenv.php HTTP/1.1" 302 226
221.192.199.36 - - [13/Oct/2008:03:47:00 -0700] "GET http://www.cship.info/azenv.php HTTP/1.1" 302 216
There are actually 57 of them, and yes, they are all from the same IP address 221.192.199.36 and they all mention a filename azenv.php, though in different domains and directories... and if you go to the address specified in any of them (try it), there's a real PHP file that just displays some basic server/client info.
Does anyone have any idea if this is a (failed?) attempt at hacking our site, or is it just a goof, or something else?
-Troy
More information about the FX.php_List
mailing list