I don't know what to tell you. On my system I have only:
Code:
ServerTokens Prod
ServerSignature Off
In httpd.conf, and all I get is:
Server: Apache
I would suggest finding out which conf file is the actual one being used, and double check that you don't have the directives written in there twice, cancelling each other out...
As far as what each directive does, ServerTokens decides how much info is in the header, and ServerSignature decides how much info is in server-generated pages such as 404 pages etc...
To turn off php reporting in the header edit php.ini and look for:
Code:
; Decides whether PHP may expose the fact that it is installed on the server
; (e.g. by adding its signature to the Web server header). It is no security
; threat in any way, but it makes it possible to determine whether you use PHP
; on your server or not.
expose_php = Off