Solved

Vhosts and log mystery

Posted on 2007-12-03
8
360 Views
Last Modified: 2010-04-21
I am running Apache 2.0 on Fedora Core 4. I have set up several vhosts and all is working fine. My understanding is that when vhosts are used the original web directory (/var/www/html) is disabled. In fact I have put a simple index.html there and I cannot see from a browser at all. If I try to access my IP address directly, I get the first vhost defined in my httpd.conf file as I would expect. However I am getting occasional entries in my log file at /var/log/httpd/access_log. They tend to look like this -

66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //drupal/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //community/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //blogs/xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

As though someone was looking for vulnerabilities. But how can any entry show up in this log when all of my vhosts each have their log in their vhost directory?
Thanks
0
Comment
Question by:modoor9
  • 5
  • 3
8 Comments
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
That I am aware of /var/www/html is never "disabled".

The first thing I see that seems unusual to me (until I do some testing) is that the GETs have double forward slashes.  
0
 
LVL 1

Author Comment

by:modoor9
Comment Utility
Here is an excerpt from the Apache 2.0 documentation-
-------------------
Main host goes away

If you are adding virtual hosts to an existing web server, you must also create a <VirtualHost> block for the existing host. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot. List this virtual host first in the configuration file so that it will act as the default host.
-------------------

Since it should not be possible to access the web page at /var/www/html ( I have not been able to ), it is certainly puzzling that there are log entries for it.

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
Are you setup for ssl?

What are your logging options?  I just noticed that you are getting 404 errors and in my setup when I get page not found errors these go to my error log.
0
 
LVL 1

Author Comment

by:modoor9
Comment Utility
Thank you for your help.

I am not using SSL.
Here are the corresponding entries found in /var/log/httpd/error_log -

[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/drupal
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/community
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/blogs
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/blogtest


Here is where the vhosts are set up in httpd.conf -
------------------
NameVirtualHost 64.79.xxx.xxx:80

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain1.com
DocumentRoot /var/vhosts/domain1.com/html
ServerAlias "www.domain1.com"
CustomLog "/var/vhosts/domain1.com/access_log" "combined"
ErrorLog "/var/vhosts/domain1.com/error_log"
</VirtualHost>

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain12.com
DocumentRoot /var/vhosts/domain2.com/html
ServerAlias "www.domain2.com"
ScriptAlias /cgi-bin/ "/var/vhosts/domain2.com/cgi-bin/"
CustomLog "/var/vhosts/domain2.com/access_log" "combined"
ErrorLog "/var/vhosts/domain2.com/error_log"
</VirtualHost>

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain3.net
DocumentRoot /var/vhosts/domain3.net/html
ServerAlias "www.domain3.net"
CustomLog "/var/vhosts/domain3.net/access_log" "combined"
ErrorLog "/var/vhosts/domain3.net/error_log"
</VirtualHost>
---------------

All the logs are defined to exist under the vhost directory, so I don't know what activity could cause an entry to be written to the logs at /var/log/http/
Anything that I don't understand makes me nervous about security.

Thanks.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 57

Expert Comment

by:giltjr
Comment Utility
What do you have for "Listen"?
How many IP addresses does this box have?
0
 
LVL 57

Expert Comment

by:giltjr
Comment Utility
What I think is happening, I have to test, is that you have "Listen 80" and you have more than on IP address on this box.

With

     NameVirtualServer 64.79.xxx.xxx:80

and all your virtual server setup with 64.79.xxx.xxx:80, only that IP address is being used for your named servers.

If you have a second (or more) IP address on that box, it will use the "defaults".  So say you have a second IP address of 10.1.1.1, and you do http://10.1.1.1, you will use the default non-virtual settings.

If I am correct you will need change "Listen 80" to "Listen 64.79.xxx.xxx:80" or change all instances of "64.79.xxx.xxx:80" to "*.80"

If you read the NameVirtualServer directive it does imply this:

Note, that the "main server" and any _default_ servers will never be served for a request to a NameVirtualHost IP address (unless for some reason you specify NameVirtualHost but then don't define any VirtualHosts for that address).

In your case, 64.79.xxx.xxx port 80 is the NameVirtualHost IP address.  If Apache is listening on an IP address other than that, the above implies that the non-VirtualHost stuff will be used.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
Comment Utility
O.K. I just did a test and I had:

Listen 80
NameVirtualHost 10.1.1.1:80
<VirtualHost 10.1.1.1:80>
ServerName dummy
DocumentRoot /www/dummy
CustomLog "/var/log/dummy_access
ErrorLog "/var/log/dummy_error>
</VirtualHost>

and the normal "default" for non-virtual hosts.  The computer had two IP addresses, 10.1.1.1 and 10.1.1.2.  When I did http://dummy, I got the virtual host stuff, when I did http://10.1.1.2 I got the default apache stuff.

So, I am going to assume, for right now, that you have "Listen 80" and that this PC has more than one IP address and somebody accessing it using the "other" IP address.
0
 
LVL 1

Author Closing Comment

by:modoor9
Comment Utility
You are absolutely correct. This is a Virtual Private Server that has 3 IP addresses. I never use the other two so I forgot all about them.
Thanks
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Over the last year I have answered a couple of basic URL rewriting questions several times so I thought I might as well have a stab at: explaining the basics, providing a few useful links and consolidating some of the most common queries into a sing…
When it comes to showing a 404 error page to your visitors, you do not want that generic page to show, and you especially do not want your hosting provider’s ad error page to show either. In this article, I will show you how to enable the custom 40…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now