httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brenda Bell <k15a-list-apa...@mail.theotherbell.com>
Subject Re: [users@httpd] Have I been hacked
Date Mon, 24 Mar 2003 16:50:38 GMT
Zac wrote:

> On Mon, Mar 24, 2003 at 08:44:26AM -0500, Brenda Bell wrote:
> > How did someone get a hit on a page that's not hosted on my site?
> > What should I be looking for to fix it and keep it from happening
again?

> http://httpd.apache.org/docs/misc/FAQ.html#proxyscan

This was a big help, but I have a couple of questions about how this
works:

My ProxyRequests is off and I compared the file size in the log to the
file size of my root page and they match... so the requestor got
nothing more than my home page.

In order to reject these requests completely, I followed the
instructions in the FAQ.  When I tried to restart the server, I got
several warning messages, one for each virtual host on my server:

VirtualHost 192.168.2.66:80 overlaps with VirtualHost 192.168.2.66:80,
the first has precedence, perhaps you need a NameVirtualHost directive

I use NameVirtualHost to run several sites on the same IP from inside
my firewall.  Before doing what it said in the FAQ, my httpd.conf
looked like this:

NameVirtualHost 192.168.2.66

<VirtualHost 192.168.2.66:80>
    ServerAdmin [my admin email address]
    DocumentRoot [my site root]
    DirectoryIndex default.html
    ServerName www.theotherbell.com
    ErrorLog [my error log]
    CustomLog [my access log]
</VirtualHost>

I get the warnings if I change NameVirtualHost to * and add a new
VirtualHost entry for * with ServerName default.only.  If I use
192.168.2.66 rather than *, the warnings go away.  It's my
understanding I have to use the IP rather than * because I have a
couple of sites on a port other than 80.  However, it appears that I
can use * for all the sites running on port 80 and IP/port for
everything else -- in this case, the warnings also go away.

After doing the latter, it appears that all of my sites are still
working correctly.  Is there a way I can test to see if I have
successfully blocked the proxy?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message