Solved

Vhosts and log mystery

Posted on 2007-12-03
8
371 Views
Last Modified: 2010-04-21
I am running Apache 2.0 on Fedora Core 4. I have set up several vhosts and all is working fine. My understanding is that when vhosts are used the original web directory (/var/www/html) is disabled. In fact I have put a simple index.html there and I cannot see from a browser at all. If I try to access my IP address directly, I get the first vhost defined in my httpd.conf file as I would expect. However I am getting occasional entries in my log file at /var/log/httpd/access_log. They tend to look like this -

66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //drupal/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //community/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //blogs/xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"
66.6.223.34 - - [26/Nov/2007:18:39:24 -0700] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

As though someone was looking for vulnerabilities. But how can any entry show up in this log when all of my vhosts each have their log in their vhost directory?
Thanks
0
Comment
Question by:modoor9
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
8 Comments
 
LVL 57

Expert Comment

by:giltjr
ID: 20400087
That I am aware of /var/www/html is never "disabled".

The first thing I see that seems unusual to me (until I do some testing) is that the GETs have double forward slashes.  
0
 
LVL 1

Author Comment

by:modoor9
ID: 20408269
Here is an excerpt from the Apache 2.0 documentation-
-------------------
Main host goes away

If you are adding virtual hosts to an existing web server, you must also create a <VirtualHost> block for the existing host. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot. List this virtual host first in the configuration file so that it will act as the default host.
-------------------

Since it should not be possible to access the web page at /var/www/html ( I have not been able to ), it is certainly puzzling that there are log entries for it.

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20408653
Are you setup for ssl?

What are your logging options?  I just noticed that you are getting 404 errors and in my setup when I get page not found errors these go to my error log.
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
LVL 1

Author Comment

by:modoor9
ID: 20414444
Thank you for your help.

I am not using SSL.
Here are the corresponding entries found in /var/log/httpd/error_log -

[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/drupal
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/community
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/blogs
[Mon Nov 26 18:39:24 2007] [error] [client 66.6.223.34] File does not exist: /var/www/html/blogtest


Here is where the vhosts are set up in httpd.conf -
------------------
NameVirtualHost 64.79.xxx.xxx:80

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain1.com
DocumentRoot /var/vhosts/domain1.com/html
ServerAlias "www.domain1.com"
CustomLog "/var/vhosts/domain1.com/access_log" "combined"
ErrorLog "/var/vhosts/domain1.com/error_log"
</VirtualHost>

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain12.com
DocumentRoot /var/vhosts/domain2.com/html
ServerAlias "www.domain2.com"
ScriptAlias /cgi-bin/ "/var/vhosts/domain2.com/cgi-bin/"
CustomLog "/var/vhosts/domain2.com/access_log" "combined"
ErrorLog "/var/vhosts/domain2.com/error_log"
</VirtualHost>

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain3.net
DocumentRoot /var/vhosts/domain3.net/html
ServerAlias "www.domain3.net"
CustomLog "/var/vhosts/domain3.net/access_log" "combined"
ErrorLog "/var/vhosts/domain3.net/error_log"
</VirtualHost>
---------------

All the logs are defined to exist under the vhost directory, so I don't know what activity could cause an entry to be written to the logs at /var/log/http/
Anything that I don't understand makes me nervous about security.

Thanks.
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20414557
What do you have for "Listen"?
How many IP addresses does this box have?
0
 
LVL 57

Expert Comment

by:giltjr
ID: 20414633
What I think is happening, I have to test, is that you have "Listen 80" and you have more than on IP address on this box.

With

     NameVirtualServer 64.79.xxx.xxx:80

and all your virtual server setup with 64.79.xxx.xxx:80, only that IP address is being used for your named servers.

If you have a second (or more) IP address on that box, it will use the "defaults".  So say you have a second IP address of 10.1.1.1, and you do http://10.1.1.1, you will use the default non-virtual settings.

If I am correct you will need change "Listen 80" to "Listen 64.79.xxx.xxx:80" or change all instances of "64.79.xxx.xxx:80" to "*.80"

If you read the NameVirtualServer directive it does imply this:

Note, that the "main server" and any _default_ servers will never be served for a request to a NameVirtualHost IP address (unless for some reason you specify NameVirtualHost but then don't define any VirtualHosts for that address).

In your case, 64.79.xxx.xxx port 80 is the NameVirtualHost IP address.  If Apache is listening on an IP address other than that, the above implies that the non-VirtualHost stuff will be used.
0
 
LVL 57

Accepted Solution

by:
giltjr earned 250 total points
ID: 20414716
O.K. I just did a test and I had:

Listen 80
NameVirtualHost 10.1.1.1:80
<VirtualHost 10.1.1.1:80>
ServerName dummy
DocumentRoot /www/dummy
CustomLog "/var/log/dummy_access
ErrorLog "/var/log/dummy_error>
</VirtualHost>

and the normal "default" for non-virtual hosts.  The computer had two IP addresses, 10.1.1.1 and 10.1.1.2.  When I did http://dummy, I got the virtual host stuff, when I did http://10.1.1.2 I got the default apache stuff.

So, I am going to assume, for right now, that you have "Listen 80" and that this PC has more than one IP address and somebody accessing it using the "other" IP address.
0
 
LVL 1

Author Closing Comment

by:modoor9
ID: 31412420
You are absolutely correct. This is a Virtual Private Server that has 3 IP addresses. I never use the other two so I forgot all about them.
Thanks
0

Featured Post

The Eight Noble Truths of Backup and Recovery

How can IT departments tackle the challenges of a Big Data world? This white paper provides a roadmap to success and helps companies ensure that all their data is safe and secure, no matter if it resides on-premise with physical or virtual machines or in the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

One of the typical problems I have experienced is when you have to move a web server from one hosting site to another. You normally prepare all on the new host, transfer the site, change DNS and cross your fingers hoping all will be ok on new server…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question