How to control destination of incorrect/non-existant subdomains?

I have a domain (client2.org) that has a variety of sites using subdomains. For example client2.org, payments.client2.org, eco.client2.org, etc. In DNS (at GoDaddy) we have these wildcarded, so for example donation1.payments.client2.org will go to the correct IP address without having to propagate DNS changes.

Recently we have become aware of bots (probably) accessing their main site client2.org by using nonexistent subdomains consisting of “foreign” domains prepended to our wildcarded subdomains, for example somesite.compayments.client2.org. These requests land on the client2.org main site, which is a CMS that caches generated pages, and a few links on those pages get cached pointing to somesite.compayments.client2.org. Normal people browse the site, click those cached links, and end up logged out or trying to access the SSL domain that has no cert installed.

Why are these requests going to client2.org? I would think they would end up at the “It Works” page.

How do I set up the server so that these requests actually go to the It Works page?

Thanks

You have configured the DNS for your domain at GoDaddy to point all subdimains to an IP address. In Virtualmin, the default domain will be served when the IP address of the Virtualmin server is entered in a browser.

If you want a domain to be accessed only by its given domain name then don’t make that domain the default domain in Virtualmin. In your particular case, @robbrandt , if you create a domain, say, invalid.yoirdomain.tld and make it your default domain (via Virtualmin → Server Configuration → Website Options) then all bots that use fictitious subdomain names will see the autogenerated Virtualmin under construction page while those who enter valid domain names will see the web content for the corresponding domain name.

I think that should solve your problem with the bots.