In my opinion, security of web apps is a cumulative task where you secure everything that can be secured within reason. So far, these are the points: 1. If a reverse DNS lookup can yield the IP address of domains.safaricom.co.ke, we have a target. 2. Due to the lack of custom 404 error handlers, we know the target runs RHEL5 3. We also know there is a database on that target, we just need to find the port its using. 4. We have a possibly working username<http://domains.safaricom.co.ke/webim/client.php>for that database, its a matter of guessing the password. 5. We know that PHP 5.2.9 <http://www.securityfocus.com/bid/36449/info> has specific vulnerabilities on RHEL5 If I was running that server, I would rather not have the facts above available to the general public, regardless of whether that server hosts "hello world" pages or not. Next question I would ask, is domains.safaricom.co.ke a target worthy of the effort?