Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Vhosts and log mystery

Posted on 2007-12-03
Medium Priority
Last Modified: 2010-04-21
I am running Apache 2.0 on Fedora Core 4. I have set up several vhosts and all is working fine. My understanding is that when vhosts are used the original web directory (/var/www/html) is disabled. In fact I have put a simple index.html there and I cannot see from a browser at all. If I try to access my IP address directly, I get the first vhost defined in my httpd.conf file as I would expect. However I am getting occasional entries in my log file at /var/log/httpd/access_log. They tend to look like this - - - [26/Nov/2007:18:39:24 -0700] "GET //drupal/xmlrpc.php HTTP/1.1" 404 295 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [26/Nov/2007:18:39:24 -0700] "GET //community/xmlrpc.php HTTP/1.1" 404 298 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [26/Nov/2007:18:39:24 -0700] "GET //blogs/xmlrpc.php HTTP/1.1" 404 294 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)" - - [26/Nov/2007:18:39:24 -0700] "GET //blogtest/xmlsrv/xmlrpc.php HTTP/1.1" 404 304 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows 98)"

As though someone was looking for vulnerabilities. But how can any entry show up in this log when all of my vhosts each have their log in their vhost directory?
Question by:modoor9
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 3
LVL 57

Expert Comment

ID: 20400087
That I am aware of /var/www/html is never "disabled".

The first thing I see that seems unusual to me (until I do some testing) is that the GETs have double forward slashes.  

Author Comment

ID: 20408269
Here is an excerpt from the Apache 2.0 documentation-
Main host goes away

If you are adding virtual hosts to an existing web server, you must also create a <VirtualHost> block for the existing host. The ServerName and DocumentRoot included in this virtual host should be the same as the global ServerName and DocumentRoot. List this virtual host first in the configuration file so that it will act as the default host.

Since it should not be possible to access the web page at /var/www/html ( I have not been able to ), it is certainly puzzling that there are log entries for it.

LVL 57

Expert Comment

ID: 20408653
Are you setup for ssl?

What are your logging options?  I just noticed that you are getting 404 errors and in my setup when I get page not found errors these go to my error log.

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.


Author Comment

ID: 20414444
Thank you for your help.

I am not using SSL.
Here are the corresponding entries found in /var/log/httpd/error_log -

[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/drupal
[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/community
[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/blogs
[Mon Nov 26 18:39:24 2007] [error] [client] File does not exist: /var/www/html/blogtest

Here is where the vhosts are set up in httpd.conf -
NameVirtualHost 64.79.xxx.xxx:80

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain1.com
DocumentRoot /var/vhosts/domain1.com/html
ServerAlias "www.domain1.com"
CustomLog "/var/vhosts/domain1.com/access_log" "combined"
ErrorLog "/var/vhosts/domain1.com/error_log"

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain12.com
DocumentRoot /var/vhosts/domain2.com/html
ServerAlias "www.domain2.com"
ScriptAlias /cgi-bin/ "/var/vhosts/domain2.com/cgi-bin/"
CustomLog "/var/vhosts/domain2.com/access_log" "combined"
ErrorLog "/var/vhosts/domain2.com/error_log"

<VirtualHost 64.79.xxx.xxx:80>
ServerName domain3.net
DocumentRoot /var/vhosts/domain3.net/html
ServerAlias "www.domain3.net"
CustomLog "/var/vhosts/domain3.net/access_log" "combined"
ErrorLog "/var/vhosts/domain3.net/error_log"

All the logs are defined to exist under the vhost directory, so I don't know what activity could cause an entry to be written to the logs at /var/log/http/
Anything that I don't understand makes me nervous about security.

LVL 57

Expert Comment

ID: 20414557
What do you have for "Listen"?
How many IP addresses does this box have?
LVL 57

Expert Comment

ID: 20414633
What I think is happening, I have to test, is that you have "Listen 80" and you have more than on IP address on this box.


     NameVirtualServer 64.79.xxx.xxx:80

and all your virtual server setup with 64.79.xxx.xxx:80, only that IP address is being used for your named servers.

If you have a second (or more) IP address on that box, it will use the "defaults".  So say you have a second IP address of, and you do, you will use the default non-virtual settings.

If I am correct you will need change "Listen 80" to "Listen 64.79.xxx.xxx:80" or change all instances of "64.79.xxx.xxx:80" to "*.80"

If you read the NameVirtualServer directive it does imply this:

Note, that the "main server" and any _default_ servers will never be served for a request to a NameVirtualHost IP address (unless for some reason you specify NameVirtualHost but then don't define any VirtualHosts for that address).

In your case, 64.79.xxx.xxx port 80 is the NameVirtualHost IP address.  If Apache is listening on an IP address other than that, the above implies that the non-VirtualHost stuff will be used.
LVL 57

Accepted Solution

giltjr earned 1000 total points
ID: 20414716
O.K. I just did a test and I had:

Listen 80
ServerName dummy
DocumentRoot /www/dummy
CustomLog "/var/log/dummy_access
ErrorLog "/var/log/dummy_error>

and the normal "default" for non-virtual hosts.  The computer had two IP addresses, and  When I did http://dummy, I got the virtual host stuff, when I did I got the default apache stuff.

So, I am going to assume, for right now, that you have "Listen 80" and that this PC has more than one IP address and somebody accessing it using the "other" IP address.

Author Closing Comment

ID: 31412420
You are absolutely correct. This is a Virtual Private Server that has 3 IP addresses. I never use the other two so I forgot all about them.

Featured Post

Understanding Web Applications

Without even knowing it, most of us are using web applications on a daily basis. Gmail and Yahoo email, Twitter, Facebook, and eBay are used by most of us daily—and they are web applications. We often confuse these web applications tools for websites.  So, what is the difference?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In Solr 4.0 it is possible to atomically (or partially) update individual fields in a document. This article will show the operations possible for atomic updating as well as setting up your Solr instance to be able to perform the actions. One major …
Introduction This article is intended for those who are new to PHP error handling (https://www.experts-exchange.com/articles/11769/And-by-the-way-I-am-New-to-PHP.html).  It addresses one of the most common problems that plague beginning PHP develop…
How to fix incompatible JVM issue while installing Eclipse While installing Eclipse in windows, got one error like above and unable to proceed with the installation. This video describes how to successfully install Eclipse. How to solve incompa…
Are you ready to place your question in front of subject-matter experts for more timely responses? With the release of Priority Question, Premium Members, Team Accounts and Qualified Experts can now identify the emergent level of their issue, signal…
Suggested Courses
Course of the Month9 days, 11 hours left to enroll

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question