<?php
error_reporting(E_ALL ^ E_DEPRECATED);
mysqli_report(MYSQLI_REPORT_OFF);
$PHP_SELF=$_SERVER['PHP_SELF'];
if (!empty($_SERVER['HTTPS'])) {
$session_options = array(
"secure" => true,
"SameSite" => "None"
);
session_set_cookie_params($session_options);
}
session_start();
include "../include/variables.php";
include "../include/functions.php";
include "../include/errors.php";
include "../include/getip.php";
include "../include/badbots.php";
include "../include/lang.php";
include "../include/auth.php";
function antiflood(){
global $ip, $host, $badbots, $badips, $errordoc, $htaccess_header, $rewrite_rules, $prefix;
if (!file_exists("../include/db.php")) {
echo "<b>Warning:</b> DB not ready. include/db.php missing.";
return;
}
$iphash = crc32($ip);
$lockfile = "/tmp/antiflood.$iphash.lock";
$fp = fopen ($lockfile, "w+");
$locked = false;
if ($fp && flock($fp, LOCK_EX | LOCK_NB, $wouldBlock) && !$wouldBlock) {
include "../include/db.php";
if ($db_link){
mysqli_select_db($db_link,$db);
if (mysqli_query($db_link,"desc antiflood")) {
$result=mysqli_query($db_link,"select timestamp, count, url from antiflood where ip='$ip'") or die(mysqli_error($db_link));
if (mysqli_num_rows($result) > 0) {
if($arr=mysqli_fetch_assoc($result)){
$time=$arr['timestamp'];
$count=$arr['count'];
$url=$arr['url'];
if ($time >= time() - 2 && $count >= 3 && $url != $_SERVER['REQUEST_URI']) {
include "../include/ipwhitelist.php";
$whitelisted=false;
if(!mysqli_query($db_link,"desc bans")){
$result=mysqli_query($db_link,"create table bans (id int not null auto_increment primary key, ip varchar(48) not null default '', timestamp int not null default 0, expires int not null default 0, exclude int not null default 0, comment text not null) default charset=utf8mb4 collate=utf8mb4_bin") or die(mysqli_error($db_link));
}
$update=false;
//ban flooder
if (isset($whitelist) && in_array($ip, $whitelist)) {
$action = "Flood Detected";
$whitelisted=true;
} elseif (mysqli_num_rows(mysqli_query($db_link,"select * from bans where ip='$ip'"))>0){ //ip in db
$action="Flood-Ban (Dupe Detected)";
} else {
$action="Flood-Ban";
$timestamp=time();
mysqli_query($db_link,"insert into bans (ip,timestamp,expires,exclude,comment) values ('$ip','$timestamp.','".($timestamp+60*60*24*2)."','0','')") or die(mysqli_error($db_link));
abuseipdbreportip($ip,"Automatic Report: Too much requests to non-existing pages, $count in 2 seconds, auto-banned");
$update=true;
}
if ($update) {
//update .htaccess
$result=mysqli_query($db_link,"select ip from bans order by ip");
$bans="";
if (mysqli_num_rows($result) > 0) {
while($ban=mysqli_fetch_assoc($result)){
$bans.= "Deny from ".$ban['ip']."\n";
}
}
$out="$htaccess_header\n$errordoc\n$rewrite_rules\n$badbots\nOrder Allow,Deny\nAllow from all\nDeny from env=bad_bot\n$badips\n$bans";
$file=fopen("$prefix/.htaccess","w");
fwrite($file, $out);
fclose($file);
}
$log=fopen("$prefix/logs/bottrap.txt", "a");
fwrite($log, "[".date("Y-m-d H:i:s")."] [".$ip.(!empty($host)?(" ".$host):"")."] [$action]\n".(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER['HTTP_USER_AGENT']:"N/A")."\n\n");
fclose($log);
die ("Flood Detected.".(($whitelisted != true)?" IP Auto-Banned":""));
} else {
if($time < time() - 1) $count = 0;
mysqli_query($db_link,"update antiflood set timestamp=".time()." where ip ='$ip'") or die(mysqli_error($db_link));
mysqli_query($db_link,"update antiflood set count=".++$count." where ip ='$ip'") or die(mysqli_error($db_link));
mysqli_query($db_link,"update antiflood set url='".mysqli_real_escape_string($db_link,$_SERVER['REQUEST_URI'])."' where ip ='$ip'") or die(mysqli_error($db_link));
}
} else {
die("database error");
}
} else {
mysqli_query($db_link,"insert into antiflood (ip, timestamp) values ('$ip',".time().")") or die(mysqli_error($db_link));
}
} else {
mysqli_query($db_link,"create table antiflood (ip varchar(48) not null primary key,timestamp int not null default 0, count int not null default 0, url varchar(256) not null default '')") or die(mysqli_error($db_link));
}
mysqli_close($db_link);
}
unset($db_link);
} else {
//echo "Database locked";
$locked = true;
$file=fopen("$prefix/logs/antiflood.txt", "a");
$msg= getinfo()."\nDatabase locked";
if (!empty($_SERVER['REQUEST_URI'])) $msg .= " (".$_SERVER['REQUEST_URI'].")";
$msg .= "\n";
fwrite($file, $msg);
fclose($file);
}
fclose($fp);
if (!$locked) unlink ($lockfile);
}
function abuseipdbreportip($ip,$comment) {
global $abuseipdb_apikey;
$data = array(
"ip" => $ip,
"categories" => "19,21",
"comment" => $comment
);
$headers = array(
'Key: '.$abuseipdb_apikey,
'Accept: application/json'
);
$curlObj = curl_init('https://api.abuseipdb.com/api/v2/report');
curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, true);
curl_setopt($curlObj, CURLOPT_POST, true);
curl_setopt($curlObj, CURLOPT_POSTFIELDS, $data);
curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
$curl_response = curl_exec($curlObj);
//var_dump($curl_response);
curl_close($curlObj);
}
$writelog=true;
$evt=(isset($_SERVER['REDIRECT_STATUS']) && $_SERVER['REDIRECT_STATUS'] !== '200')?$_SERVER['REDIRECT_STATUS']:(isset($_GET['error'])?$_GET['error']:false);
if(($evt !== false) && !(is_numeric($evt) && (gettype ($evt + 0) === "integer") && ($evt >= '0'))) {
$evt = false;
$invalid=true;
}
if ($evt !== false) {
$method=isset($_SERVER['REDIRECT_REDIRECT_REQUEST_METHOD'])?$_SERVER['REDIRECT_REDIRECT_REQUEST_METHOD']:(isset($_SERVER['REDIRECT_REQUEST_METHOD'])?$_SERVER['REDIRECT_REQUEST_METHOD']:(isset($_SERVER['REQUEST_METHOD'])?$_SERVER['REQUEST_METHOD']:false));
$outf="debuglog.txt";
switch($evt) {
case 300:
$title="300 Multiple Choices";
ob_start();
$variants=isset($_SERVER['REDIRECT_REDIRECT_VARIANTS'])?$_SERVER['REDIRECT_REDIRECT_VARIANTS']:(isset($_SERVER['REDIRECT_VARIANTS'])?$_SERVER['REDIRECT_VARIANTS']:false);
if (!empty($variants)) {
$arr=explode('","', $variants);
echo "The url you looking for wasn't found on this server. You can check the other pages listed below:<br><ul>\n";
foreach($arr as $item) {
$arr2=explode(";",$item);
$arr2=preg_replace('/"/', '', $arr2);
$arr2=preg_replace('/,/', '', $arr2);
echo "<li><a href=\"".$arr2[0]."\">".$arr2[0]."</a>\n";
}
echo "</ul>";
} else {
echo "REDIRECT_VARIANTS variable empty or unset";
}
$txt=ob_get_clean();
antiflood();
break;
case 301:
$title="301 Moved Permanently";
$txt="The document has moved permanently to new location.";
$writelog=false;
//antiflood();
break;
case 302:
$title="301 Found";
$txt="The document has moved away.";
$writelog=false;
//antiflood();
break;
case 400:
$title="400 Bad Request";
$txt="Your client supplied the request that this server couldn't understand.";
$outf="badreq.txt";
//antiflood();
break;
case 401:
$title="401 Unauthorized";
$txt="This server could not verify that you are authorized to access the document requested. Either you supplied the wrong credentials (e.g., bad password), or your browser doesn't understand how to supply the credentials required.";
$outf="badreq.txt";
break;
case 403:
$title="403 Forbidden";
$txt="You don't have permission to access ".htmlspecialchars($_SERVER['REQUEST_URI'])." on this server.";
include "../include/db.php";
if($db_link){
$update=false;
mysqli_select_db($db_link,$db);
$table = "bans";
if(!mysqli_query($db_link,"desc $table")){
$result=mysqli_query($db_link,"create table $table (id int not null auto_increment primary key, ip varchar(48) not null default '', timestamp int not null default 0, expires int not null default 0, exclude int not null default 0, comment text not null) default charset=utf8mb4 collate=utf8mb4_bin") or die(mysqli_error($db_link));
}
$result=mysqli_query($db_link,"select * from $table where ip='".$ip."'") or die(mysqli_error($db_link));
if (mysqli_num_rows($result) > 0) {
if ($ban = mysqli_fetch_assoc($result)){
if ($ban['exclude'] != 1) {
if(($_SERVER['REQUEST_URI'] == "/bottrap.php") ||
(isset ($_SERVER['HTTP_USER_AGENT']) && preg_match("/a[\ \t]+href=/i", $_SERVER['HTTP_USER_AGENT']))){
if (($_SERVER['REQUEST_URI'] == "/bottrap.php")) $action = "Perma-Ban";
else $action="Perma-Auto-Ban";
mysqli_query($db_link,"update $table set expires='-1', exclude='1' where ip='$ip'") or die(mysqli_error($db_link));
$update=true;
}
}
}
} else {
$timestamp=time();
if(isset ($_SERVER['HTTP_USER_AGENT']) && preg_match("/a[\ \t]+href=/i", $_SERVER['HTTP_USER_AGENT'])){
mysqli_query($db_link,"insert into $table (ip,timestamp,expires,exclude,comment) values ('$ip','$timestamp.','".($timestamp+60*60*24*2)."','0','')") or die(mysqli_error($db_link));
$action="Auto-Ban";
abuseipdbreportip($ip,"Automatic Report: html link code detected in user agent, auto-banned");
$update=true;
}
}
$result=mysqli_query($db_link,"select * from $table where ip='".$ip."'") or die(mysqli_error($db_link));
if (mysqli_num_rows($result) > 0) {
if ($ban = mysqli_fetch_assoc($result)){
if ($admin || $ban['exclude'] != 1) {
if(!empty($_COOKIE)){
$txt.= "<br>You probably might be auto-banned." ;
if (!$admin) $txt.="If you're a human user, you can remove the ban using <a href=\"/tools/?unban\">This</a> page as long as you complete the captcha.";
else {
$txt.=" Go to <a href=\"/tools/?unban\">This</a> to remove the ban.";
if ($ban['exclude'] == 1) $txt.= "<br><b>Warning: </b> Perma-ban is set, disabled only while using admin login.";
}
}
}
}
}
if ($update) {
//update .htaccess
$result=mysqli_query($db_link,"select ip from $table order by ip");
$bans="";
if (mysqli_num_rows($result) > 0) {
while($ban=mysqli_fetch_assoc($result)){
$bans.= "Deny from ".$ban['ip']."\n";
}
}
$out="$htaccess_header\n$errordoc\n$rewrite_rules\n$badbots\nOrder Allow,Deny\nAllow from all\nDeny from env=bad_bot\n$badips\n$bans";
$file=fopen("$prefix/.htaccess","w");
fwrite($file, $out);
fclose($file);
$log=fopen("$prefix/logs/bottrap.txt", "a");
fwrite($log, "[".date("Y-m-d H:i:s")."] [".$ip.(!empty($host)?(" ".$host):"")."] [$action]\n".(isset($_SERVER["HTTP_USER_AGENT"])?$_SERVER['HTTP_USER_AGENT']:"N/A")."\n\n");
fclose($log);
}
mysqli_close($db_link);
}
$outf="badreq.txt";
break;
case 404:
$title="404 Not Found";
$txt="The url you looking for wasn't found on this server.";
//check for 404 error flood
antiflood();
break;
case 405:
$title="405 Method Not Allowed";
$txt="The ".(($method !== false)?($method." "):"")."method is not allowed for the requested URL";
$outf="badreq.txt";
//antiflood();
break;
case 500:
$title="500 Internal Server Error";
$txt="";
$outf="serverr.txt";
//antiflood();
break;
default:
$title="Unknown HTTP $evt error";
$txt="Unknown HTTP $evt error";
antiflood();
break;
}
if ($writelog === true) {
$file=fopen("$prefix/logs/$outf", "a");
$msg= getinfo()." [$evt] ".(($method !== false)?($method):"Url:")." ".$_SERVER['REQUEST_URI']." Agent: ".(isset($_SERVER['HTTP_USER_AGENT'])?$_SERVER['HTTP_USER_AGENT']:"N/A").(isset($_SERVER['HTTP_REFERER'])?(" Referer: ".$_SERVER['HTTP_REFERER']):"")."\n";
fwrite($file, $msg);
fclose($file);
}
include "../include/iplog.php";
} else {
$title="Warning";
if (!isset ($invalid)) $txt="This Page Is Used As Error Handler";
else $txt="Invalid Error Number Value";
}
header('Content-Type: text/html; charset=utf-8');
?>
<!DOCTYPE html>
<html>
<head>
<style type="text/css">
<!--
html {
height: 100%;
}
body {
margin: 0px; background: #000055; text-align:center; color:#eeebf5;
height: 100%;
}
a:link {
text-decoration:none; color: #BDFFD6;
}
a:hover {
text-decoration:underline; color: #FBFAD0;
}
a:visited {
text-decoration:none; color: #C2E4EF;
}
a:visited:hover {
text-decoration:underline; color: #E5ECD9;
}
body, td {
font-size:11pt; font-family: Georgia, Palatino, "Palatino Linotype", Times, "Times New Roman", serif;
}
table {
border-collapse: collapse;
}
td {
vertical-align:top; background: #717698; text-align:left;
}
#table {
height: 90%; width: 90%; border-left: 1px solid #0E2780; border-right: 1px solid #0E2780;
}
#rightmenu {
width: 20%; background:#616F8E;
}
#content {
background: #697795; padding: 4px; width:80%; text-align:center;
}
-->
</style>
<title><?php echo $title; ?></title>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body>
<div style="width:0px;height:0px;visibility:hidden;display:none"><a href="/bottrap.php">Click Here</a></div>
<table id="table" align="center">
<tr>
<td id="content"><?php echo $txt; ?></td>
<td id="rightmenu">
</tr>
</table>
</body>
</html>
<?php saveTranslations(); exit(); ?>
You can also check other includes below (some files are hidden as they are in exclusion list):
functions.php
errors.php
getip.php
lang.php
auth.php
iplog.php