Re: Apache suddenly downloads PHP instead of executing it ... but only on one virtual site?

[Carl Fink <carlf@panix.com>]

On 10/29/19 2:19 AM, Xavier wrote:
> did you take a look at your logs (apache2 logs and php logs) ? Could you
> share them with us ?
Good point. I plead "I was really tired when I posted."

Of course, I don't know what to look for. I just tried to view the 
tt-rss page and only the access.log file updated, so here are the last 
20 lines of that:

50.63.185.234 - - [29/Oct/2019:08:37:13 +0000] "GET //print.cgi 
HTTP/1.1" 404 367 "-" "() { :;};echo; /bin/bash -c \" echo 2014 | md5sum\""
66.249.65.213 - - [29/Oct/2019:08:51:39 +0000] "GET /robots.txt 
HTTP/1.1" 404 404 "-" "Mozilla/5.0 (compatible; Googlebot/2.1; 
+http://www.google.com/bot.html)"
66.249.65.211 - - [29/Oct/2019:08:51:39 +0000] "GET 
/manual/ko/mod/mod_socache_shmcb.html HTTP/1.1" 200 2631 "-" 
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
109.104.240.33 - - [29/Oct/2019:09:14:37 +0000] "GET / HTTP/1.1" 200 
10947 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
178.93.26.5 - - [29/Oct/2019:09:33:09 +0000] "GET / HTTP/1.1" 200 10947 
"-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like 
Gecko) Chrome/51.0.2704.103 Safari/537.36"
176.214.60.106 - - [29/Oct/2019:10:04:58 +0000] "GET / HTTP/1.0" 200 
10966 "-" "-"
66.249.65.211 - - [29/Oct/2019:10:05:31 +0000] "GET 
/manual/en/mod/mod_filter.html HTTP/1.1" 200 8336 "-" "Mozilla/5.0 
(Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
Googlebot/2.1; +http://www.google.com/bot.html)"
77.120.54.54 - - [29/Oct/2019:10:09:26 +0000] "GET / HTTP/1.1" 200 3315 
"-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
77.120.54.54 - - [29/Oct/2019:10:09:27 +0000] "GET /HNAP1/ HTTP/1.1" 404 
348 "-" "Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 
Firefox/9.0.1"
46.188.46.142 - - [29/Oct/2019:10:35:12 +0000] "GET / HTTP/1.1" 200 
10947 "-" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
151.80.36.188 - - [29/Oct/2019:11:07:20 +0000] "GET / HTTP/1.0" 200 
10966 "-" "masscan/1.0 (https://github.com/robertdavidgraham/masscan)"
66.249.65.213 - - [29/Oct/2019:11:18:36 +0000] "GET 
/manual/en/programs/httpd.html HTTP/1.1" 200 4155 "-" "Mozilla/5.0 
(Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
Googlebot/2.1; +http://www.google.com/bot.html)"
221.231.126.2 - - [29/Oct/2019:12:04:26 +0000] "GET / HTTP/1.1" 200 
11003 "http://65.99.217.144:80"; "Mozilla/4.0 (compatible; MSIE 9.0; 
Windows NT 6.1)"
66.249.65.211 - - [29/Oct/2019:12:34:45 +0000] "GET 
/manual/es/mod/mod_socache_shmcb.html HTTP/1.1" 200 2631 "-" 
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
213.6.199.106 - - [29/Oct/2019:13:14:16 +0000] "GET / HTTP/1.1" 200 
10947 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
93.170.112.67 - - [29/Oct/2019:13:25:06 +0000] "GET / HTTP/1.1" 200 
10947 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 
(KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36"
109.116.119.16 - - [29/Oct/2019:13:45:28 +0000] "POST 
/editBlackAndWhiteList HTTP/1.1" 404 367 "-" "ApiTool"
193.224.40.254 - - [29/Oct/2019:13:51:06 +0000] "-" 408 0 "-" "-"
66.249.65.211 - - [29/Oct/2019:14:07:45 +0000] "GET 
/manual/es/mod/mod_lbmethod_bytraffic.html HTTP/1.1" 200 3206 "-" 
"Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile 
Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"
66.249.65.209 - - [29/Oct/2019:15:21:55 +0000] "GET 
/manual/en/mod/mod_version.html HTTP/1.1" 200 3612 "-" "Mozilla/5.0 
(Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
Googlebot/2.1; +http://www.google.com/bot.html)"


That last line seems to be the only relevant one, based on times. The 
browser, oddly shown to be for Android 6.0.1, is really Waterfox for 
Linux. (?) Just for comparison I tried the same thing from Chromium 
under Debian Buster.

66.249.65.209 - - [29/Oct/2019:15:21:55 +0000] "GET 
/manual/en/mod/mod_version.html HTTP/1.1" 200 3612 "-" "Mozilla/5.0 
(Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, 
like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; 
Googlebot/2.1; +http://www.google.com/bot.html)"

Still no idea why it is downloading rather than interpreting the PHP.

Thank you, Xaver.

--
Carl Fink nitpicking@nitpicking.com
Read my blog at blog.nitpicking.com. Reviews! Observations!