azenv.php in error logs? causing white screen of death?

  • I have been getting, off and on, the white screen of death since the first week of July 08. It always happens when I go in and edit a post. I have the problem where somehow an extra carriage return at the bottom of my wp-config file is the culprit. Replacing the wp-config file usually correct the problem. Today, after this started happening, I checked my apache error logs and see this-

    [Tue Jul 22 06:48:30 2008] [error] [client 60.172.219.2] File does not exist: /home/southern/public_html/azenv.php
[Tue Jul 22 06:48:32 2008] [error] [client 60.172.219.2] File does not exist: /usr/local/apache/htdocs/AZenv/azenv.php
[Tue Jul 22 06:48:47 2008] [error] [client 60.172.219.2] File does not exist: /usr/local/apache/htdocs/AZenv/azenv.php
[Tue Jul 22 06:48:49 2008] [error] [client 60.172.219.2] File does not exist: /usr/local/apache/htdocs/AZenv/azenv.php

    What the heck is that? I did a search on the file name and it looks like it’s some sort of proxy program, but I don’t think I have any plug-ins or whatever using it. Could this be the culprit? What’s going on?

Viewing 6 replies - 1 through 6 (of 6 total)

  • I noticed a similar thing showing up in my website’s stats in the ‘click paths’:

    /myproxies/azenv.php which from the root of my site does not exist.

    Yahoo says azenv.php is ‘A list of environment checkers and ProxyJudges, especially prxjdg and azenv scripts’

    When I googled ‘myproxies/azenv.php’ I kept get results pages that showed me other people’s website stats when I clicked on them! Not sure if these were intentionally posted or not, I know that my own stats require a username/password.

    Not sure if this any help whatsoever but it is kind of odd.

    Also, maybe not relevant to your situation but in the case of /myproxies/azenv.php (i assume azenv means a to z envelope?) I kept seeing htp://scifi.pages.at/myproxies/azenv.php (I took out a t from http to break the link) which links to a German site that has a php script on it.

    I have something similar in my logs. I was hoping maybe you found more info on it …

    $ sudo cat /var/log/apache2/access.log

    60.172.219.6 – – [17/Sep/2008:02:47:35 +0000] “GET https://gooearth.de/proxypower/special/azenv.php HTTP/1.1” 404 302 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
    60.172.219.6 – – [17/Sep/2008:02:49:33 +0000] “GET https://gooearth.de/proxypower/special/azenv.php HTTP/1.1” 404 302 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”
    60.172.219.6 – – [17/Sep/2008:07:14:49 +0000] “GET https://www.anonymitytest.com/cgi-bin/textenv.pl HTTP/1.1” 404 302 “-” “Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)”

    $ sudo cat /var/log/apache2/error.log

    [Wed Sep 17 02:47:35 2008] [error] [client 60.172.219.6] File does not exist: /var/www/proxypower
    [Wed Sep 17 02:49:33 2008] [error] [client 60.172.219.6] File does not exist: /var/www/proxypower
    [Wed Sep 17 07:14:49 2008] [error] [client 60.172.219.6] script not found or unable to stat: /usr/lib/cgi-bin/textenv.pl

    I am really just curious what this is, I’m not worried about it yet because of the error logs …

    I think I used the wrong box for that …. oh well

    This is what I get

    [Mon Oct 06 12:18:54 2008] [error] [client 221.192.199.x] ModSecurity: Access denied with code 400 (phase 2). Pattern match “^\\w+:/” at REQUEST_URI_RAW. [f
    ile “/etc/httpd/modsecurity.d/modsecurity_crs_20_protocol_violations.conf”] [line “74”] [id “960014”] [msg “Proxy access attempt”] [severity “CRITICAL”] [tag
    “PROTOCOL_VIOLATION/PROXY_ACCESS”] [hostname “scifi.pages.at”] [uri “/myproxies/azenv.php”] [unique_id “jc2AtEWiTgsAADUuY6UAAAAG”]

    this is nothing to do with a problem in wordpress, this is a bunch of bots run by jerks looking to see if your server is running an open proxy they can use to attack people with.

    If you didnt post your server as a proxy to some sort of service or board or something, there are only two reasons someone would scan the internet for new proxies, one is if theyre trying to get around government censorship like in China, or if they want the operators of the servers theyre going to attack to think it was you.

    Thanks for the input/discussion. I was seeing this in my blog stats as well. I found a good reference on this subject here:

    https://www.proxy4free.info/proxyjudge.html

    @green_three_delta: “azenv” stands for “AZ Environment Variables,” and is one of several free “proxy judge” applications available. Basically all this application does is tell the user (the person who visited your site) if their IP is safely hidden.

    In nearly all cases, the IP address points to China, so as redscourge suggested, I am going to assume (hope!) they are ordinary people trying to circumvent government censorship. But if you see other IP sources, or lots of activity, or suspicious activity, it could be someone attacking or preparing to attack your site, or otherwise hack it.

Viewing 6 replies - 1 through 6 (of 6 total)
  • The topic ‘azenv.php in error logs? causing white screen of death?’ is closed to new replies.