Vhosts and log mystery

Posted on 2007-12-03
Medium Priority
Last Modified: 2010-04-21
I am running Apache 2.0 on Fedora Core 4. I have set up several vhosts and all is working fine. My understanding is that when vhosts are used the original web directory (/var/www/html) is disabled. In fact I have put a simple index.html there and I cannot see from a browser at all. If I try to access my IP address directly, I get the first vhost defined in my httpd.conf file as I would expect. However I am getting occasional entries in my log file at /var/log/httpd/access_log. They tend to look like this - - - [26/Nov/2007:18:39:24 -0700] "GET //drupal/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [26/Nov/2007:18:39:24 -0700] "GET //community/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [26/Nov/2007:18:39:24 -0700] "GET //blogs/xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [26/Nov/2007:18:39:24 -0700] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

As though someone was looking for vulnerabilities. But how can any entry show up in this log when all of my vhosts each have their log in their vhost directory?
Question by:modoor9
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 57

Expert Comment

ID: 20400087
That I am aware of /var/www/html is never "disabled".

The first thing I see that seems unusual to me (until I do some testing) is that the GETs have double forward slashes.  

Author Comment

ID: 20408269
Here is an excerpt from the Apache 2.0 documentation-
Main host goes away

If you are adding virtual hosts to an existing web server, you must also create a <VirtualHost> block for the existing host. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot. List this virtual host first in the configuration file so that it will act as the default host.

Since it should not be possible to access the web page at /var/www/html ( I have not been able to ), it is certainly puzzling that there are log entries for it.

LVL 57

Expert Comment

ID: 20408653
Are you setup for ssl?

What are your logging options?  I just noticed that you are getting 404 errors and in my setup when I get page not found errors these go to my error log.
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.


Author Comment

ID: 20414444
Thank you for your help.

I am not using SSL.
Here are the corresponding entries found in /var/log/httpd/error_log -

[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/drupal
[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/community
[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/blogs
[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/blogtest

Here is where the vhosts are set up in httpd.conf -
NameVirtualHost 64.79.xxx.xxx:80

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain1.com
DocumentRoot /var/vhosts/domain1.com/html
ServerAlias "www.domain1.com"
CustomLog "/var/vhosts/domain1.com/access_log" "combined"
ErrorLog "/var/vhosts/domain1.com/error_log"

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain12.com
DocumentRoot /var/vhosts/domain2.com/html
ServerAlias "www.domain2.com"
ScriptAlias /cgi-bin/ "/var/vhosts/domain2.com/cgi-bin/"
CustomLog "/var/vhosts/domain2.com/access_log" "combined"
ErrorLog "/var/vhosts/domain2.com/error_log"

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain3.net
DocumentRoot /var/vhosts/domain3.net/html
ServerAlias "www.domain3.net"
CustomLog "/var/vhosts/domain3.net/access_log" "combined"
ErrorLog "/var/vhosts/domain3.net/error_log"

All the logs are defined to exist under the vhost directory, so I don't know what activity could cause an entry to be written to the logs at /var/log/http/
Anything that I don't understand makes me nervous about security.

LVL 57

Expert Comment

ID: 20414557
What do you have for "Listen"?
How many IP addresses does this box have?
LVL 57

Expert Comment

ID: 20414633
What I think is happening, I have to test, is that you have "Listen 80" and you have more than on IP address on this box.


     NameVirtualServer 64.79.xxx.xxx:80

and all your virtual server setup with 64.79.xxx.xxx:80, only that IP address is being used for your named servers.

If you have a second (or more) IP address on that box, it will use the "defaults".  So say you have a second IP address of, and you do, you will use the default non-virtual settings.

If I am correct you will need change "Listen 80" to "Listen 64.79.xxx.xxx:80" or change all instances of "64.79.xxx.xxx:80" to "*.80"

If you read the NameVirtualServer directive it does imply this:

Note, that the "main server" and any _default_ servers will never be served for a request to a NameVirtualHost IP address (unless for some reason you specify NameVirtualHost but then don't define any VirtualHosts for that address).

In your case, 64.79.xxx.xxx port 80 is the NameVirtualHost IP address.  If Apache is listening on an IP address other than that, the above implies that the non-VirtualHost stuff will be used.
LVL 57

Accepted Solution

giltjr earned 1000 total points
ID: 20414716
O.K. I just did a test and I had:

Listen 80
ServerName dummy
DocumentRoot /www/dummy
CustomLog "/var/log/dummy_access
ErrorLog "/var/log/dummy_error>

and the normal "default" for non-virtual hosts.  The computer had two IP addresses, and  When I did http://dummy, I got the virtual host stuff, when I did I got the default apache stuff.

So, I am going to assume, for right now, that you have "Listen 80" and that this PC has more than one IP address and somebody accessing it using the "other" IP address.

Author Closing Comment

ID: 31412420
You are absolutely correct. This is a Virtual Private Server that has 3 IP addresses. I never use the other two so I forgot all about them.

Featured Post

Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Most ColdFusion developers get confused between the CFSet, Duplicate, and Structcopy methods of copying a Structure, especially which one to use when. This Article will explain the differences in the approaches with examples; therefore, after readin…
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question