Introduction

This writeup summarizes a review of a one-day web access log for superiorschedule.com, addressed to management and the board. The goal was to determine whether the site shows signs of an AndroxGh0st compromise and, more broadly, whether the site is being actively probed.

AndroxGh0st is a Python-based malware family documented as targeting exposed .env files. Public reporting links it to exploitation activity against Laravel, PHPUnit, and Apache-related paths — typically with the goal of stealing credentials or dropping web shells.

Methodology

The log was reviewed for known probe patterns and possible compromise indicators. The review specifically looked for:

• .env requests and other exposed config-file requests.
• Web-shell and admin upload paths.
• PHPUnit exploit paths, including eval-stdin.php.
• Command-injection strings embedded in URLs.
• Unusual or scanner-flavored user agents.
• Any suspicious successful 2xx responses to attacker-targeted resources.

Successful requests were also examined separately to determine whether they matched normal site usage or suspicious file access.

Results

The site is being probed

The log shows repeated requests for paths consistent with automated vulnerability scanning, including:

• /.env
• /.git/config
• /vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php
• /cgi-bin/luci/... with an embedded command
• /cgi-bin/nas_sharing.cgi
• /webclient/
• /vpn/index.html
• /geoserver/web/
• /elmah.axd
• Many webuploader/.../preview.php paths

Scanner-style user agents were also present, including zgrab/0.x, Python-urllib, and Root Slut.

No confirmed compromise in this sample

There is no confirmed evidence that the site was compromised by AndroxGh0st in this log sample. The strongest AndroxGh0st-style indicators were repeated GET /.env probes, but those attempts ended in redirects and 404 Not Found — not successful 200 OK access.

The PHPUnit, .git/config, webclient, vpn, geoserver, elmah, and webuploader probes all returned 301, 400, or 404, not a successful response to an attacker-targeted resource. This pattern is consistent with probing without confirmed exploitation.

Successful traffic looks normal

Successful 2xx responses went to ordinary site pages such as /, /index.php, /Contact.php, /signup.php, /buildschedule.php, /login.php, /Pricing_Options.php, /Features.php, /demo.php, and /sitemap.xml. These do not match the AndroxGh0st exploit paths above.

The POST /signup.php and POST /login.php requests are worth a closer look for abuse or spam, but on their own they do not prove compromise.

Risk Analysis

Qualitative risk: Moderate. The site is actively scanned for exposed secrets and common web vulnerabilities, including probes consistent with techniques described in public AndroxGh0st reporting.

Quantitative risk from this one-day sample: 0 confirmed successful AndroxGh0st file exposures, alongside multiple failed/redirected probes against sensitive paths.

Recommendations

• Block or limit repeated scanner traffic at the edge — particularly traffic from known scanner user agents and IPs that request many sensitive paths in sequence.
• Make sure .env and .git files cannot be reached from the website. Update server rules so requests for sensitive files are denied directly rather than relying on redirects.
• Review signup.php and login.php for suspicious use. Improve logging on those endpoints and add CAPTCHA or rate limiting to slow abuse and credential-stuffing attempts.
• Patch and update PHP, Laravel, Apache, and related software so the application stack matches current security baselines.
• Check the server itself for web shells or other signs of follow-up activity. Web logs alone cannot fully prove the site was not compromised — host-side review is required to be confident.

Conclusion

superiorschedule.com is being probed but, based on this one-day log sample, was not successfully compromised by AndroxGh0st-style activity. The recommended hardening steps reduce future risk and close the most obvious paths attackers were testing.