CD
Cloudflare Developers4mo ago
mrbirddev

my custom hostname (cloudflare for saas) returns "androxgh0st"? A malware?

curl -ii https://www.pagebrew.co/                                             
HTTP/1.1 200 Connection established

HTTP/2 200
(headers...)

0x%5B%5D=androxgh0st%
curl -ii https://www.pagebrew.co/                                             
HTTP/1.1 200 Connection established

HTTP/2 200
(headers...)

0x%5B%5D=androxgh0st%
No description
No description
No description
No description
No description
3 Replies
Erisa
Erisa4mo ago
What is it supposed to be returning? based on that configuration I would think that it would be invoking your worker
mrbirddev
mrbirddev4mo ago
Thank you @Erisa . If the CNAME from www.pagebrew.co to pagebrew.wolio.co actually works, it should return the following. 
curl -ii https://pagebrew.wolio.co 
HTTP/1.1 200 Connection established

HTTP/2 404

<html><body>R2 object "<b>pagebrew/index.html</b>" not found</body></html>
curl -ii https://pagebrew.wolio.co 
HTTP/1.1 200 Connection established

HTTP/2 404

<html><body>R2 object "<b>pagebrew/index.html</b>" not found</body></html>
And right now the worker is not receiving logs if I curl https://www.pagebrew.co .
mrbirddev
mrbirddev4mo ago
I just looked it up and it seems like "androxgh0st" it's a php malware name? https://blogs.juniper.net/en-us/security/shielding-networks-against-androxgh0st
Kashinath T Pattan
Official Juniper Networks Blogs
Shielding Networks From Androxgh0st | Official Juniper Networks Blogs
AndroxGh0st is a Python-based malware designed to target Laravel applications. It works by scanning and taking out important information from .env files, revealing login details linked to AWS and Twilio. Classified as an SMTP cracker, it exploits SMTP using various strategies such as credential exploitation, web shell deployment and vulnerabilit...
Want results from more Discord servers?
Add your server