F19: Is this an httpd attack attempt?

Wolfgang S. Rupprecht wolfgang.rupprecht at gmail.com
Thu Mar 6 07:06:34 UTC 2014 

lee <lee at yun.yagibdah.de> writes:
> "Wolfgang S. Rupprecht" <wolfgang.rupprecht at gmail.com> writes:
>
>> lee <lee at yun.yagibdah.de> writes:
>>> Could someone please explain why/how this may be considered as an attack
>>> or at least as something bad?  Someone requesting an URL from a web
>>> server that doesn´t serve this URL --- or doesn´t serve the specified
>>> domain at all --- could be caused by incorrect responses from name
>>> servers, couldn´t it?
>>>
>>> What is it in particular that would distinguish the request in question
>>> from others?
>>
>> This is not an attack, but someone fishing for information.  I
>> understand that apache in some modes give you the first configured vhost
>> when encountering a query like that.   Someone wanted to see if there
>> was something juicy lying around.  The server served the URL
>> "http://<vhost0>/"
>> which was the index.{html,htm,php,etc} file in the vhost0 root directory.
>
> Sorry, I still don´t understand.  You seem to imply that any request to
> a web server which, for whatever reason, doesn´t serve the request or
> doesn´t serve for the domain given in the request --- I´m not sure which
> is in question here: the domain or the request --- can be considered as
> an attempt to obtain information the requester is not supposed to have.
>
> So far, my understanding has been that the requester is supposed to
> receive a 4xx or 5xx error message/code when the server does not want to
> or can not serve the request.
>
> For instances when the web server gives a wrong answer to a request it
> does not serve --- like sending the index page used with requests for a
> different domain instead of indicating an error --- someone has
> misconfigured the server, or there is a bug in the server.  Neither has
> anything to do with the sender of the request, other than that they
> receive a wrong answer.  It´s not the fault of the sender of the request
> when the web server sends the wrong answer.

I don't know how to say it more precisely.  

1) this is not an exploit.

2) apache has (to my mind) a minor bug where it serves pages from the
   first vhost if you ask for an unknown vhost.

3) the request in the initial post was for the page at the root of the
   directory tree often called /index.html .

4) the request was successfully served hence the 200 return code.

-wolfgang

More information about the users mailing list