Apache/websites

[inittux]

I pinged from my server to feedmebits.testing and I got an ip. I sent you the results in a pm cuz don't really want to post my ip here.

And I am able to ping now from my own pc at home to www.feedmebits.com and I get an ip/reply.I don't quite get the last part yet:

and your browser should point to this Apache install which will serve up this particular vhost.

 

I then try editing /etc/hosts to:

myip feedmebits.com

 

and then try going to feedmebits.com and I get

403 forbidden. and when I go to my ip I get my

bucket .htm page.But the bucket is still confusing to me

cuz I don't see anything appearing in my logs when I

try it by ip. Think I'm just not understanding one

part yet but I'm a bit closer to understanding now.

Could you test out my bucket and see what you get?

[Dungeon-Dave]

Check /var/log/httpd/sniffer_access.log - that's your bucket logfile, isn't it?

[inittux]

Check /var/log/httpd/sniffer_access.log - that's your bucket logfile, isn't it?

 

Yeah it seems to be working but seems like there's a delay in my log

[inittux]

Haha interesting. I've already seen two people sniffing: one from dallas,texas and the other from Moldova, Republic of, Chisinau. But I also end up in my bucket when going to feedmebits.net cuz it's logged in my sniffer file:

 

But seems like when going to feedmebits.net I also end up in my bucket instead of ending up in the same place as www.feedmebits.com (403 forbidden page)

 

that's from my sniffer access log

Code:

[15/Aug/2011:00:56:11 +0200] "GET /favicon.ico HTTP/1.1" 200 146 "http://feedmebits.net/" "Mozilla/5.0 (X11; U; Linux x86_64; en-us) AppleWebKit/531.2+ (KHTML, like Gecko) Version/5.0 Safari/531.2+ Debian/squeeze (2.30.6-1) Epiphany/2.30.6"

 

and this is from my sniffer-error log:

[Mon Aug 15 11:08:48 2011] [error] [client 69.162.74.102] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

[Mon Aug 15 11:17:29 2011] [error] [client 67.205.102.172] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

[Mon Aug 15 11:50:53 2011] [error] [client 50.73.155.220] client sent HTTP/1.1 request without hostname (see RFC2616 section 14.23): /w00tw00t.at.ISC.SANS.DFind:)

[Mon Aug 15 15:17:17 2011] [error] [client 204.95.105.213] File does not exist: /var/www/html/.blackhole/phpmyadmin

 

Don't really understand it the first 3, but the last one is looking for my phpmyadmin controlpanel. Which thanks to anyweb's advice I removed out of

security reasons. And the ip belongs to United States Redmond Microsoft Corp . Why would they be trying to access my phpmyadmin

? Probably someone who hacked them and is using them as a proxy? hahaha viewing logs are fun :). Will be more fun once I get my site working and my IDS setup [img]<___base_url___>//public/style_emoticons/default/biggrin.png[/img]

[Dungeon-Dave]

But I also end up in my bucket when going to feedmebits.net cuz it's logged in my sniffer file:

 

But seems like when going to feedmebits.net I also end up in my bucket instead of ending up in the same place as www.feedmebits.com (403 forbidden page)

That's because you don't have feedmebits.net mentioned as a ServerName or ServerAlias in your config files.

 

Essentially if you end up in the bucket, Apache can't match your requested URL to a site so drops you into its first one.

 

 

 

Don't really understand it the first 3, but the last one is looking for my phpmyadmin controlpanel. Which thanks to anyweb's advice I removed out of

security reasons. And the ip belongs to United States Redmond Microsoft Corp . Why would they be trying to access my

The first are a sniff for a long-forgotten, the DFind scanner vuln - google w00tw00t if you want to know more information.

 

The phpmyadmin one is the reason I recommend people NOT to have it running against your default site (disable it in conf.d/ dir) - bind it to a vhost instead if needed.

[inittux]

I already remove phpmyadmin last week cuz anyweb said it's security wise better to do it via the commandline. And the more i use command line the better and the easier the command line becomes I suppose :)

 

The rest I posted here

[inittux]

<blockquote data-ipsquote="" class="ipsQuote" data-ipsquote-contentcommentid="14897" data-ipsquote-username="feedmebits" data-cite="feedmebits" data-ipsquote-timestamp="1313406436" data-ipsquote-contentapp="forums" data-ipsquote-contenttype="forums" data-ipsquote-contentid="4122" data-ipsquote-contentclass="forums_Topic"><div>
But I also end up in my bucket when going to feedmebits.net cuz it's logged in my sniffer file:

 

But seems like when going to feedmebits.net I also end up in my bucket instead of ending up in the same place as www.feedmebits.com (403 forbidden page)

That's because you don't have feedmebits.net mentioned as a ServerName or ServerAlias in your config files.

 

Essentially if you end up in the bucket, Apache can't match your requested URL to a site so drops you into its first one.

 

 

 

Don't really understand it the first 3, but the last one is looking for my phpmyadmin controlpanel. Which thanks to anyweb's advice I removed out of

security reasons. And the ip belongs to United States Redmond Microsoft Corp . Why would they be trying to access my

The first are a sniff for a long-forgotten, the DFind scanner vuln - google w00tw00t if you want to know more information.

 

The phpmyadmin one is the reason I recommend people NOT to have it running against your default site (disable it in conf.d/ dir) - bind it to a vhost instead if needed.



</div></blockquote>
I didn't get this last part how to disble it, I have the conf.d directory but doesn't s mention phpmyadmin anywhere in there. And how do I bind phpmyadmin to a virtualhost.

before I removed phpmyadmin I did it like this

 

I guess if you say bind I would have to do it like this:?

 

Alias /phpmyadmin /var/www/html/website/webfolder/phpmyadmin

 

 

 

btw I understand the blackhole now and replace my html page with your alias which give and error :) Brilliant!!! [img]<___base_url___>//public/style_emoticons/default/biggrin.png[/img]

[Dungeon-Dave]

BTW -= you don't need to quote the entire post back to reply - I can't view the entire lot on this small netbook here and it makes it difficult to reply!

 

It should be in /etc/apache2/mods-enabled in Debian 6, I think. That's where it is on my tower.

[inittux]

BTW -= you don't need to quote the entire post back to reply - I can't view the entire lot on this small netbook here and it makes it difficult to reply!

 

It should be in /etc/apache2/mods-enabled in Debian 6, I think. That's where it is on my tower.

 

LOL sorry about that mate.

 

I got my website working :)/home/username was not accessibly by apache

and the directory for index.php was not set now it all works :)

[inittux]

I did something really not smart but I managed to get it working again. i wanted to reinstall my website so I remove the /home/feedmebits/_public_html/feedmebits.nl and then I downloaded joomla again and tried reinstalling I got an error saying the page doesn't exist and I don't have permissions. I fixed this by deleting the user feedmebits and recreating the whole path. And it worked. While doing this I realized I made a very stupid/HUGE mistake but I'm glad I realized it. After creating the new user with root I made the new folders in that user's account with root and also download joomla as root. That way all files were owned by root instead of feedmebits. So I deleted all the folders I made with root under /home/feedmebits and su - user and made the path with the normal user and now I am able to install my website again. Only thing I don't understand is why I get an error if delete /home/feedmebits/public_html/feedmebits.nl and then create folder with the same name again and chgrp and chmod -R again?

 

before: drwxr-xr-x 3 root apache 4096 Aug 16 14:12 public_html

after: drwxr-xr-x 3 feedmebits apache 4096 Aug 16 14:12 public_html