‘Cowards die many times before their deaths, the valiant taste death but once’ – Julius Caesar
During my early recon stages, while I am determining whether or not a site is a ‘valid target’ as opposed to just a benign Muslim interest site, I have begun to notice some strange behavior. It’s not a new tactic, but it’s spreading within their circles. Basically the website administrators, one way or another are trying to make it appear as though their site is either already down, or is of no interest to people like me.
Essentially, they are ‘playing dead’.
Traditionally, we hit a website root by throwing ‘www.example.com‘ into the URL bar or hit it via a link elsewhere. Most servers are configured to serve what is known as the ‘default page’ or ‘landing page’, which in most cases is one of the following – index.php, index.htm, or index.aspx ….. etc etc. But our wily jihadist webmasters are now trying (unsuccessfully) to convince unwitting passers by that they pose no threat. They are using a variety and sometimes a combination of tricks, not limited to:
- Deleting everything from the root directory and switching off Directory Indexing with the hidden .htaccess config line ‘Options –Indexes‘. This will then throw a 403 Forbidden error to a casual user who does not know the subdirectory where the site actually resides.
- Altering the robots.txt file in the root to include the ‘Disallow: /’ option which will prevent search spiders and bots such as the Google indexer from adding the site and it’s contents appearing in Google searches.
- Putting the actual site content in a sub-directory known only to it’s users, most of the time this sub-directory is named ‘/vb’, which everybody who’s anybody already knows about, but they are starting to use obscure or random directory naming conventions.
The site above is using the very simple delete all files from the root directory and disable directory indexing method, they have no ‘robots.txt’ on the server. The result produces the 403 error you see. Many people would skip past this site during a research or recon operation. But if you simply add ‘/vb’ to the URL (this is the VBulletin directory) you are presented with the actual site as per below:
Another slightly different example can be found at www.iraq-moqawama.com These brainiacs actually have a landing but it has literally no links, no navigation, just their logo and mantra. Because that’s not at all suspicious. Here’s a grab:
With this one they again have no robots.txt but Google will still skip pretty much ove file on the serverr them because the root page seen above has no links so a crawler can’t…. well… errr crawl. Their default page is set as index.html which brings you to the above page, but index.php is switched off as a landing page in an attempt to fool a passer by. However if you manually add ‘/index.php?type=c_cat&acid=20‘ to the url you can get to the actual site as per the grab here:
Putting their site forum content inside it’s own directory is nothing new. Traditionally when you hit the landing page of a jihadi site it redirects you straight into the subdirectory containing the forum content transparently to the visitor. But now, more and more this is being switched off and they are taking measures to try and fool or obfuscate actual site content and or location.
We must be doing something right huh?