I am trying to trap exploit hunters who make HTTP requests on IP address only, with requests for the likes of thisdoesnotexistahaha.php, etc.

I always thought that the first listed Apache virtual host would pick up all the waifs and strays, and when I was using a straight redirect, this seemed to be the case.

However, I am now trying to redirect to a bit of Perl that will read in the requested URI (as query string), do PTR and WHOIS lookups, record in a database, phone the Pentagon, etc. (See: http://www.smiffysplace.com/files/mwahahahaha)

It isn't working, and I can't figure out why. When I try to make an illegal access, I just get:

Forbidden

You don't have permission to access /thisdoesnotexistahaha.php on this server.

...which would tend to indicate that the re-write simply isn't happening.

Relevant parts of Apache config:

NameVirtualHost *

#
# Catch and log stuff that shouldn't happen.
#
<VirtualHost *>
        ServerName lostsouls.xxxxxxx.xxxxxxx
        ServerAdmin admin@xxxxxxx.xxxxxxx
        ScriptAlias /lostsouls/ "/usr/www/lostsouls/"
        RewriteEngine On
        RewriteRule . /lostsouls/mwahahahaha$1 [L]
</VirtualHost>

<Directory /usr/www/lostsouls>
        Order deny,allow
        Allow from all
</Directory>

I'm not sure if I understand the problem exactly, but you could try using a custom 404 document. That way, if a file isn't found the request gets passed to your custom 404--which is a cgi script. I believe your CGI script can then determine if there was a hostname header and if not, log stuff and return a page telling people they might need to upgrade their browser. If there was--and it's a valid hostname for your host--give the user a sane 404.

Just a thought.

--James