In my Apache error.log, I am getting an error like the following:
Hostname www.example.com provided via SNI and hostname hk.dv.nextmedia.com provided via HTTP are different
I have no idea what hk.dv.nextmedia.com is. It is not related to my website or server and I have never entered that domain anywhere in my Apache or server configuration.
Can anyone shed some light on this error? Should I be worried about anything malicious that may have happened on my server?
This is a client-side error or someone probing for vulnerabilities.
"a client indicates which hostname it is attempting to connect to at the start of the handshaking process" https://en.wikipedia.org/wiki/Server_Name_Indication
Similar thing happened to me on one server, and this was the reason. So, check your ssl_access_log and you may find something like
141.212.122.224 - - [16/Nov/2016:03:42:45 +0100] "GET /UlisseREST/api/actions/RequestActionsToExecute HTTP/1.1" 400 226
while in ssl_error_log you have something like this:
[Wed Nov 16 03:42:45.737309 2016] [ssl:error] [pid 3666] AH02032: Hostname **** provided via SNI.....
I know I'm late to the party on this question, but someone might find it interesting. It's not always a TLS Virtual Host Confusion attack, but it might be, so don't ignore it...
I hope I'm not speaking too soon. I believe I have cleared this up, however. I have not received this message in five days now, and five days ago I edited my /etc/hosts file, adding a line with my server IP and domain name.
i.e.
###.###.###.### mydomain.com
Previously I had only the lines:
127.0.1.1 hostname hostname
127.0.0.1 localhost
Again, hoping I'm not jumping the gun, but I believe this may have resolved the issue in my case.
