Very Computer

Say I have several name based virtual hosts, and my default ( first
stanza in httpd.conf) has no servername directive.

This means that any requests going to this default host went to the
default cause the requested servername did not match any of my other
v-hosts.

So my question is.. .what was the servername that it was trying to
compare against the ServerName directive in my virtual host stanas ?
Is it possible that someone
is connecting just to my IP address ?    How can I tell what
servername they *intended * to go to.

Quote:> Say I have several name based virtual hosts, and my default ( first
> stanza in httpd.conf) has no servername directive.

> This means that any requests going to this default host went to the
> default cause the requested servername did not match any of my other
> v-hosts.

> So my question is.. .what was the servername that it was trying to
> compare against the ServerName directive in my virtual host stanas ?
> Is it possible that someone
> is connecting just to my IP address ?    How can I tell what
> servername they *intended * to go to.

Log your default vhost separately if you want to tell what requests went
to it.  For example server on private IP behind dynamic adsl gateway using
no-ip.com DDNS, I specifically set a fake ServerName and log my default
vhost separately.

ServerName mainpc.bogus
UseCanonicalName off
NameVirtualHost *

<VirtualHost *>
    DocumentRoot /srv/www/htdocs/nohost
    ServerSignature Off
    ErrorLog /var/log/httpd/nohost_error_log
    LogFormat "%V %h %l %u %t \"%r\" %>s %b" nohost
    CustomLog /var/log/httpd/nohost_access_log nohost
</VirtualHost>

This is followed by wildcard vhosts with specific ServerName/ServerAlias
settings including public names, private LAN IP name for
intranet use, and IP based localhost vhost.

The "%V" in my log format shows requested vhost, or my main fake
ServerName if no Host header.  These are examples from that log.

This appears to be a fake Nimda probe, since there was no Host header
(default fake ServerName 'mainpc.bogus') and just a single request:

mainpc.bogus 148.233.132.171 - - [20/May/2003:16:53:46 -0500] "GET
/scripts/..%255c%255c../winnt/system32/cmd.exe?/c+dir" 404 -

Someone testing if I am a proxy (not), using 'www.google.ca' in Host
header (default worm page):

www.google.ca 68.36.33.158 - - [20/May/2003:17:29:39 -0500] "HEAD
http://www.google.ca/ HTTP/1.0" 200 0

Typical Nimda request which uses just 'www' for Host header (followed by
usual string of similar requests):

www 68.66.139.78 - - [20/May/2003:18:19:01 -0500] "GET
/scripts/root.exe?/c+dir HTTP/1.0" 404 210

--
David Efflandt - All spam ignored  http://www.de-srv.com/
http://www.autox.chicago.il.us/  http://www.berniesfloral.net/
http://cgi-help.virtualave.net/  http://hammer.prohosting.com/~cgi-wiz/

See:
http://httpd.apache.org/docs-2.0/mod/mod_log_config.html

Include %{Host}i in your LogFormat to see the requested host.
(%V will alsp give it to you if UseCanonicalName is set to off.)

Joshua