-1

I have noticed in the Web-server log-file that some guys actually test the existence of some pages on my server (and possible other server).

So I have setup a custom 404 site and read out who this visitors are. Something like

ErrorDocument 404 /404.php

and I get something like this:

GATEWAY_INTERFACE   CGI/1.1 
SERVER_ADDR         62.75.xxx.xxx (my servers IP) 
SERVER_NAME         vps28680.vps.ovh.ca 
SERVER_SOFTWARE     Apache/2.2.22 (Debian) 
SERVER_PROTOCOL     HTTP/1.1 
REQUEST_METHOD      GET 
REQUEST_TIME        1465225786 
REQUEST_TIME_FLOAT  1465225786.731        
DOCUMENT_ROOT       /var/www 
HTTP_HOST           vps28680.vps.ovh.ca 
HTTP_USER_AGENT     Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 
REMOTE_ADDR         167.114.3.44 
REMOTE_PORT         44685 
SCRIPT_FILENAME     /var/www/404.php  
SERVER_PORT         80 
SERVER_SIGNATURE    Apache/2.2.22 (Debian) Server at vps28680.vps.ovh.ca Port 80 
SCRIPT_NAME         /404.php 
REQUEST_URI         HTTP://vps28680.vps.ovh.ca/judge/judge.php 

In a normal World the SERVER_NAME should be part of REQUEST_URI and it should resolve to REMOTE_ADDR.

like in this case :

$_SERVER(REQUEST_URI) = "HTTP://vps28680.vps.ovh.ca/judge/judge.php"
$_SERVER(SERVER_NAME) = "vps28680.vps.ovh.ca"
and
$_SERVER(SERVER_NAME) = "167.114.3.44"

I done a 'dig vps28680.vps.ovh.ca' and it turns out to be 167.114.3.44 .

OK, so far so good, but the Problem is that neither the IP not the URI are on my server.

The $_SERVER(REQUEST_URI) is according to the documentation the URI the visitor entered in his Firefox browser and landed on my server. And exactly immediately after his visit, I clicked the link and it didn't took me to my box.

Okay so I thought that its possible that someone setup a Nameserver to point at my box with that domain, but how could he do it with the fake IP ? So why did he land on my box?

A.f.a.i.k the HOST_NAME should have been showing my domain name, not his domain. Or probably these are'nt his IP and his Domain.

Can somebody explain me what's going on?

Max Muster
  • 337
  • 2
  • 6
  • 27

1 Answers1

2

You can supply any hostname you want in the HTTP HOST header and if there is no vhost defined with this name, web servers will usually serve this with the default server, which again usually is just the first one defined (this is a feature of HTTP/1.1 and makes it possible to serve multiple domains with just one IP address).

So, what's happening is that someone on 167.114.x.x (most likely infected by a bot) is scanning web hosts for whatever purpose and is just supplying its own hostname in the HTTP request. This way, they can simply iterate over IP addresses and don't need valid hostnames.

In other words: Nothing to see here, just a normal day on the web.

Sven
  • 98,649
  • 14
  • 180
  • 226
  • as far as I have read the REQUEST_URI should be in my case /404.phpI want to know HOW it can be faked. – Max Muster Jun 08 '16 at 21:18
  • If a web server encounters a 404, it will just serve the defined 404 document instead of the requested one, together with the 404 response code instead of 200, so having the original request URI in the headers is expected. – Sven Jun 08 '16 at 22:01