We noticed that a hacker created a domain and configured DNS to point it to our server's IP address.
We are using apache2.x on Ubuntu. There is a "default" file in apache's /etc/apache2/sites-available directory and it looks like the the hacker's domain is using "default" apache configuration file to display our web content in their domain.
How can we prevent this? Can some one post a "default" apache configuration file as an example?
Unknown domains that come into apache over the specified ip and port will be directed to the first virtual host, thus the 000-default file. Your best bet is to make the 000-default host return a 400 or 500 error (or some explicit message saying the domain doesn't belong) and use explicit virtualhosts for each of your sites.
+1 Jeremy's answer: make the default (first) virtual host for each IP address you're listening on return something useless like a 404 or page saying nothing but “this is a virtual server”.
Allowing your web server to serve a real web site on a non-matching ‘Host’-name (including a raw IP address) opens you up to two particular attacks:
DNS rebinding attacks, leading to cross-site scripting into your real web site. This affects sites with a user access element (eg. logging in, cookies, supposedly-private intranet apps).
‘Search-hijacking’. This affects all sites (even completely static ones). This may be what is happening to you. By pointing their own domain name at your server, they can make search engines see both the real domain name and their fake one as duplicates for the same site. By using SEO techniques they can then try to make their fake address seem like the more popular, at which point the search engines see that as the canonical address for the site, and will start linking to it exclusively instead of yours.
Most web servers are configured by default to serve a web site to all-comers, regardless of what hostname or IP address they're accessing it through. This is a dangerous mistake. For all real live sites, configure it to require that the ‘Host’ header matches your real canonical hostname.
Good explanations.
I would like to know if there is a way of preventing or noticing if a site is being proxied (reverse proxy) from another machine. My point is we haver an Apache setup hosting a service which will only be allowed to be accessed from certains IP ranges. Is there a way of preventing that someone from that IP address would setup a reverse proxy so they can serve that service all over the world?
hey everyone. i have the exact same issue as the one here. for example, www.abc.com is pointing to my server and displaying my content. i only want my domain and subdomains (e.g. *.xyz.com) displaying my content. thus, i would like to make apache 2-> sites available - > default redirect to one of the explicitly defined virtual hosts.... like www.xyz.com. anyone done this ? If so how?