================================================================ IRAN & HEZBOLLAH PROXY NETWORK — FINDINGS REPORT Campaign: Iran Huntr Scan + Manual Recon + Pivot Date: 2026-02-25 Targets Scanned: 670 domains (609 prior + 61 Hezbollah) Prior Findings (Jan 2026): 23 findings, 9 critical New Findings This Session: 5 ================================================================ ================================================================ SESSION OVERVIEW ================================================================ This session built on extensive prior work (Jan 2026) that mapped 500+ subdomains, 75+ IPs, and 6 government ASNs across Iranian government and Hezbollah infrastructure. New work focused on: - Re-scanning all 670 targets with Huntr (0 new scanner findings) - Manual probing of Hezbollah WordPress sites - Manual probing of Iranian gov/university/media sites - Data extraction from accessible endpoints Key constraint: Most Iranian .ir domains sit behind ArvanCloud CDN/WAF which returns HTML catch-all (soft 200) for all paths, making automated scanning ineffective. farsnews.ir requires Tor (SSL handshake fails from clearnet). moqawama.org.lb times out (Moscow hosting). ================================================================ NEW FINDING 01: almanar.com.lb — WordPress Debug Log Exposed ================================================================ Severity: HIGH Status: STILL LIVE Domain: almanar.com.lb (Al-Manar TV — Hezbollah satellite TV) URL: https://almanar.com.lb/wp-content/debug.log Dumped: 100 KB (DUMP_2_25/almanar/debug.log) Intelligence Extracted: - Server path: /home/manarnet/public_html/ - Hosting user: manarnet - Custom theme: ar-manar (with framework) - Theme files exposed: wp-content/themes/ar-manar/framework/functions/manar-functions.php wp-content/themes/ar-manar/framework/functions/theme-functions.php wp-content/themes/ar-manar/single.php - Security plugin: hide_my_wp (active — trying to hide WordPress) - Debug plugin: debug-bar (left active in production!) - WordPress version: 6.7.0+ (based on deprecation messages) - MySQL connection failure: Oct 6, 2025 09:25:13 UTC mysqli_real_connect(): (HY000/2002): No such file or directory - Error timeline: Apr 2025 — Oct 2025 (months of uncleared logs) - PHP Fatal errors: TypeError in manar-functions.php line 14 - PHP version: 8.x+ (based on typed parameter errors) Why It Matters: - Full server path disclosure for Hezbollah's main TV station - Plugin list reveals attack surface (hide_my_wp has known bypasses) - debug-bar in production = developer oversight - MySQL socket failure suggests infrastructure instability - Theme structure reveals custom development patterns ================================================================ NEW FINDING 02: english.alahednews.news — .git Directory Confirmed ================================================================ Severity: HIGH Status: PROTECTED (403) — directory EXISTS but access denied Domain: english.alahednews.news (Al-Ahed News — Hezbollah newspaper) Confirmed 403 on ALL git paths: - .git/HEAD → 403 - .git/config → 403 - .git/COMMIT_EDITMSG → 403 - .git/description → 403 - .git/info/refs → 403 - .git/packed-refs → 403 - .git/logs/HEAD → 403 Additional 403s: - .htaccess → 403 - composer.json → 403 - .gitignore → 403 - wp-content/debug.log → 403 Non-existent paths return 404 (wp-json, wp-login, etc.) This confirms the .git directory EXISTS on the server — they've added access restrictions but haven't removed the files. Sitemap reveals internal domain: english.alahedlb.inf* (truncated — possibly internal development hostname) Why It Matters: - Git repository deployed to production server - Source code recoverable if 403 bypass is found - .htaccess protection can sometimes be bypassed via path traversal or server misconfiguration - composer.json presence confirms PHP dependency management ================================================================ NEW FINDING 03: Hezbollah Network robots.txt Intelligence ================================================================ Severity: LOW Status: LIVE english.almanar.com.lb/robots.txt: User-agent: * Disallow: /wp-admin/ Allow: /wp-admin/admin-ajax.php Sitemap: https://english.almanar.com.lb/wp-sitemap.xml → Confirms WordPress, admin-ajax.php exposed english.alahednews.news/robots.txt: User-agent: * Disallow: Disallow: /cgi-bin/ Sitemap: https://english.alahednews.com.lb/sitemap.xml → Points to .com.lb domain (the main site) alnour.com.lb/robots.txt: User-agent: * Disallow: Sitemap: https://alnour.com.lb/sitemaps/images.xml Sitemap: https://alnour.com.lb/sitemaps/vid* → Al-Nour Radio has image and video sitemaps ================================================================ NEW FINDING 04: Iranian News Sites — Admin Path Discovery ================================================================ Severity: LOW Status: LIVE ilna.ir (Iranian Labor News Agency) robots.txt: User-agent: * Disallow: /fa/admin/* Disallow: /en/admin/* Disallow: /ar/admin/* → Multi-language admin panels confirmed (Farsi, English, Arabic) icana.ir (Parliament News) robots.txt: Disallow: /print Disallow: /search Disallow: /sncaptcha.jpg → Custom captcha system (sncaptcha) khabaronline.ir robots.txt: Disallow: /print/ Disallow: /link/ Disallow: /search mashreghnews.ir robots.txt: Disallow: /search ================================================================ NEW FINDING 05: ArvanCloud WAF — Universal Protection Pattern ================================================================ Severity: INFO Status: CONFIRMED All major Iranian government and news sites return identical HTML catch-all pages for ANY path including: .git/HEAD, .env, robots.txt, wp-json/, sitemap.xml Affected domains (confirmed soft-200 catch-all): - president.ir - dolat.ir - irna.ir - isna.ir - ido.ir - ut.ac.ir (University of Tehran) This is ArvanCloud CDN (AS205585) behavior — it intercepts all requests and returns a branded HTML page. Real content only served for known valid paths. Implication: Automated scanning tools (including Huntr) will generate false positives on all these domains. Manual recon with path knowledge or Tor exit is required. ================================================================ PRIOR FINDINGS SUMMARY (January 2026) ================================================================ These were documented in prior sessions and remain valid: CRITICAL: 1. IRNA.IR — Private IP leak (kateb.irna.ir → 10.30.41.85) 2. MFA.GOV.IR — VPN endpoint (r1.vpn.minister.local.mfa.gov.ir) 3. KHAMENEI.IR — Admin portal in CT logs (admin.english.khamenei.ir) 4. KHAMENEI.LINK — Hidden API domain (formx.khamenei.link) 5. FARSNEWS.IR — APK exposed (dl.farsnews.ir/app.apk — needs Tor) 6. MFA.GOV.IR — 182 embassy subdomains mapped 7. Hezbollah Russian/Czech hosting strategy documented 8. EXIF metadata in Hezbollah graphics (PS7/CS6 timestamps) 9. WhatsApp filename patterns (editorial OPSEC failure) HIGH: 10. FARSNEWS.IR — API with mobile app architecture exposed 11. TASNIMNEWS.COM — Self-hosted Matomo analytics 12. Government ASN ownership (6 ASNs identified) 13. Google Analytics on anti-Western regime sites (irony) 14. Microsoft Clarity recording sessions on Hezbollah media 15. FARSNEWS.IR — DevOps tools in DNS (jira, confluence, git, svn) 16. KHAMENEI.IR — jQuery 1.6.2 (2011, known vulns) INTELLIGENCE: 17. 500+ subdomains discovered 18. 75+ unique IPs mapped 19. 4 government-dedicated ASNs 20. 15+ tracking IDs collected (GA, GTM, Clarity) 21. PHP session hashes collected (moqawama.org.lb) 22. Hezbollah financial intelligence ($1B+ annual revenue) 23. Domain seizure analysis (13 seized, .lb workaround active) ================================================================ DATA INVENTORY ================================================================ DUMP_2_25/ almanar/ debug.log 100 KB WordPress debug log farsnews/ (APK download failed — needs Tor) huntr-scan.jsonl 262 B Scanner output (0 findings) khamenei-farsi-json-topticker.json 1.6 KB API endpoint data Prior Data (from Jan 2026): resources/intel/ Multiple intelligence reports resources/khamenei/ HTML, JS, OSINT report resources/hezbollah/ 90+ HTML files, 20 images Iran Pwned/CRITICAL_FINDINGS.txt Full critical findings doc KEY_FINDINGS.txt Actionable intelligence summary iran_osint.db SQLite database hash_database.db 21 hash records ================================================================ BLOCKED / INACCESSIBLE ================================================================ farsnews.ir — SSL handshake fails (UNEXPECTED_EOF_WHILE_READING) Needs Tor with specific exit node to access moqawama.org.lb — Connection timeout Moscow hosting (Okay-Telecom), very slow from clearnet alahednews.com.lb — Connection timeout Same hosting infrastructure All .ir government domains — ArvanCloud WAF catch-all Need known valid paths or Tor to bypass farsnews APK — SSL failure same as main site dl.farsnews.ir uses same problematic TLS config ================================================================ RECOMMENDATIONS FOR NEXT SESSION ================================================================ 1. Use Tor (CT 105/106) to access: - farsnews.ir API and APK download - moqawama.org.lb full enumeration - alahednews.com.lb deep probe - Bypass ArvanCloud WAF on .ir domains 2. Try .git bypass on english.alahednews.news: - Path traversal variants - Case sensitivity tricks - Alternate git object paths 3. Enumerate almanar.com.lb deeper: - WP user enumeration via ?author=N - Plugin version detection - hide_my_wp bypass techniques - Upload directory listing 4. Check remaining Hezbollah targets: - jihadbinaa.org.lb (construction arm) - alemdad.net (charity) - Other .lb domains from target list 5. Iranian universities (.ac.ir): - Often have weaker security than gov - Try subdomain enumeration via crt.sh - Check for exposed research portals ================================================================ STATS ================================================================ Total domains in target lists: 670 Domains scanned (Huntr): 670 New Huntr findings: 0 Manual probe findings: 5 Prior findings (Jan 2026): 23 Total cumulative findings: 28 Debug logs dumped: 1 (almanar 100KB) .git directories confirmed: 1 (alahednews — 403) Robots.txt intelligence: 6 domains ArvanCloud WAF confirmed: 6+ domains Data dumped this session: ~102 KB Total data (all sessions): ~500 KB + prior intel Domains blocked by TLS/timeout: 4 ================================================================ Generated 2026-02-25 All data recovered from publicly exposed files and unauthenticated endpoints. ================================================================