Though I'm not familiar with thttpd or savant, after briefly looking them over they appear to be http servers just like apache or nginx.
What would make them more appealing for a dark web host? They dont seem to be particular "dark-web-centric" with what i could read at face value. though most times dark web stuff has tons of other info thats not found 'at face value'...
"Though I'm not familiar with thttpd or savant, after briefly looking them over they appear to be http servers just like apache or nginx."
Not your parent, but it wouldn't surprise me to learn that "dark web sites" are using thttpd ... it's a very simple, lightweight, dependable web server. The major downside - the lack of SSL - is perhaps not an issue as you are running over an encrypted channel anyway.
If I just needed to throw something up - perhaps on a remote or throwaway host - thttpd would certainly be my first choice.
Also, thttpd[0] is fast, doesn't fork, and is resistant to DoS attacks. The downside is that it's no longer in many repositories, and it can be a pain to compile.
It wouldn't surprise me if this was limited to system logs and simple request logs. All the source IPs coming from Tor gateways are going to be from localhost. By default in Apache and Nginx logs also include the user agent but diligent dark web operators disable that.
System logins, auditd, supporting services logs, etc all may provide clues as to what happened.
I wouldn't have thought a darkweb hosting service should have any logs?