<?php
error_reporting(E_ALL ^ E_DEPRECATED);
mysqli_report(MYSQLI_REPORT_OFF);
include_once "../include/variables.php";
include_once "../include/functions.php";
include_once "../include/errors.php";
include_once "../include/getip.php";
if (!function_exists("getinfo")) {
function getinfo() {
global $ip, $host;
return "[".date("Y-m-d H:i:s")." $ip".(!empty($host)?" $host":"")."]";
}
}
$PHP_SELF=$_SERVER['PHP_SELF'];
if (isset($_SERVER['HTTP_ACCEPT_ENCODING']) && substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) {
if (ob_get_length()) ob_end_clean();
ob_start("ob_gzhandler");
}
//else ob_start();
if (!empty($_SERVER['HTTPS'])) {
$session_options = array(
"secure" => true,
"SameSite" => "None"
);
session_set_cookie_params($session_options);
}
session_start();
include "../include/lang.php";
include "../include/auth.php";
include "../include/refcheck.php";
if (!$validref) {
$evt="403";
header($_SERVER['SERVER_PROTOCOL']." 403 Forbidden");
include "../include/iplog.php";
die("Invalid Referer");
}
include "../include/iplog.php";
?>
<html>
<head>
<title>List of Bad IP's and Requests</title>
<style type="text/css">
body {
margin: 0px;
padding: 5px;
background: #6F859E;
color:#eeebf5;
font-size:11pt;
font-family: Georgia, Palatino, "Palatino Linotype", Times, "Times New Roman", serif;
text-align:center;
}
p {
margin: 0px;
text-indent:1.27cm;
text-align: justify;
}
a:link {
text-decoration:none;
color: #BDFFD6;
}
a:hover {
text-decoration:underline;
color: #FBFAD0;
}
a:visited {
text-decoration:none;
color: #C2E4EF;
}
a:visited:hover {
text-decoration:underline;
color: #E5ECD9;
}
table {
border-collapse: collapse;
margin: 0px auto 0px auto;
}
th {
background: #9aa5af;
}
td {
vertical-align:top;
background: #7382a0;
text-align:left;
padding: 1px 2px;
}
h2, h3 {
text-align:center;
margin-top:15px;
margin-bottom: 12px;
}
img {
border: 0px;
padding: 0px;
margin: 0px;
}
form, pre {
padding: 0px;
margin: 0px;
}
pre {
white-space: pre-wrap;
word-wrap: break-word;
overflow:auto;
text-align:left;
}
</style>
</head>
<body>
<a href="/tools/">[Return]</a> <a href="/">[Home Page]</a> <a href="/source.php?file=tools/iplist.php">[Source of this page]</a><hr>
<a name="toc"></a>
<a href="#badip">IP's with Big User Agent Count</a><br>
<a href="#badurl">IP's with detected Bad URL'S</a>
<?php
include "../include/db.php";
if($db_link){
mysqli_select_db($db_link,$db);
$query="select distinct ip, host, count(distinct agent) as count, max(date) as date from accesslog group by ip having count >= 4 order by count desc, date desc limit 200"; //limit: server can't process more than 200 at a time
$result=mysqli_query($db_link,$query) or die(mysqli_error($db_link));
echo "<a name=\"badip\"></a><h3>IP Adresses with High User Agent Count</h3><hr><p>High User Agent Count usually means a Suspicious IP or a Bad Bot.</p><p><a href=\"#toc\">Back to Contents</a></p><hr>";
echo "<table>";
echo "<tr><th>IP<th>Host<th>Known User Agents (Max 15 Shown)<th>Last Seen</tr>";
//ip adresses to hide (false positives, etc.)
include "include/ipstohide.php";
mt_srand((double) microtime() * 1000000);
if (!function_exists("func")){
//partial randomizer
function func($str){
if (!empty($str)) {
$l=strlen($str);
$tmp=""; for($i=0;$i<mt_rand(($l/4),$l);$i++) $tmp.=chr(mt_rand(97,122));
if (strlen($tmp) < $l) $tmp.=substr($str, $i, $l);
$str=$tmp;
}
return $str;
}
}
function agent_callback($input){
//todo: complete replace callback function
//$replace[]='html_entity_decode(("$2"?("hxxp$2".("$3"?"wxw.":"")):"wxw.").func("$5").("$7"?(".".func("$7")):"").".$8")';
ob_start();
echo "<pre>";
var_dump($input);
echo "</pre>";
return ob_get_clean();
}
while ($arr = mysqli_fetch_assoc($result)) {
if (!isset($hide) || !in_array($arr['ip'], $hide)) {
echo "<tr>";
$res2=mysqli_query($db_link,"select * from bans where ip='".$arr['ip']."'") or die(mysqli_error($db_link));
echo "<th>".$arr['ip'].((mysqli_num_rows($res2) == 0)?" (Not Banned)":"")."<th>".$arr['host'];
echo "<th>".$arr['count'];
echo "<th>".date("Y-m-d H:i:s",$arr['date']);
echo "</tr><tr>";
echo "<th colspan=4>Actions";
echo "</tr><tr>";
echo "<td colspan=4><a href=\"https://www.google.com/search?q=".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[Google]</a> <a href=\"https://www.abuseipdb.com/check/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[AbuseIPDB]</a> <a href=\"http://www.projecthoneypot.org/ip_".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[ProjectHoneyPot]</a> <a href=\"http://www.stopforumspam.com/ipcheck/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[StopForumSpam]</a></td>";
echo "</tr><tr>";
echo "<th colspan=4>User Agents";
echo "</tr><tr>";
$query="select distinct agent from accesslog where ip='".$arr['ip']."' group by agent order by agent limit 15";
$res2=mysqli_query($db_link,$query) or die(mysqli_error($db_link));
echo "</tr><tr><td colspan=4>";
$first=true;
while($arr2=mysqli_fetch_assoc($res2)){
if (!$first) echo "<br>\n";
else $first=false;
//censor
$search="/(http(s?:\/\/)(www\.)?|(www\.))([a-z0-9\-]+)(\.([a-z0-9\-]+))?\.([a-z0-9]+)/i";
//$arr2['agent']=preg_replace_callback($search, "agent_callback", $arr2['agent']); //callback not completed
echo !empty($arr2['agent'])?htmlspecialchars($arr2['agent']):"(Blank)";
}
}
echo "</tr>";
}
//
echo "</table><hr><a name=\"badurl\"></a><h3>IP Adresses with Bad URL's Detected</h3><hr><p>Big Amount of Bad URL's means that an IP Owner is a Possible Hacker or Bad Bot</p><p><a href=\"#toc\">Back to Contents</a></p><hr>";
$pattern = "url like '%\%00%' or url like '%\%0a%' or url like '%\%0d%' or url like '%\%22%' or url regexp '.*%25[^2][^0].*' or url like '%\%26%' or url like '%\%27%' or url like '%\%28%' or url like '%\%29%' or url like '%\%3c%' or url like '%=%\%3d%' or url like '%\%3e%' or url like '%\%40%' or url like '%\%5c%' or url like '%\%7b%' or url like '%\%7c%' or url like '%\%e3%' or url like '%\%c0\%af%' or url like '%\.\.%' or url like '%[%' or url like '%]%' or url like '%passwd%' or url like '/mysql%' or url like '/pma%' or url like '%/database\.yml%' or url like '%<script%' or url like '%=index\.%' or url regexp '.*=.*[^A-Za-z0-9]cmd[^A-Za-z0-9].*' or url like '%=%\?%' or url like '%<%' or url like '%>%' or url like '%\'%' or url like '%\"%' or url like '%\\\\\\\\%' or url like '%order+by%' or url regexp 'char\\\\(([0-9]{0,},){1,}[0-9]+\\\\)' or url regexp '[^A-Za-z&]+(and|or)[^A-Za-z&]+[\'\"]?[A-Za-z0-9]+[\'\"]?[^A-Za-z&(]*=[^A-Za-z&(]*[\'\"]?[A-Za-z0-9]+[\'\"]?'";
//echo htmlspecialchars($pattern);
$query="select ip, host, max(date) as date, count(distinct url, result) as count from accesslog where $pattern group by ip having count >= 1 order by count desc, date desc";
$result=mysqli_query($db_link,$query) or die(mysqli_error($db_link));
echo "<style>font {display:inline-block;}</style>";
echo "<table>";
echo "<tr><th>IP<th>Host<th>Bad/Total URL Count<th>Last Seen</tr>";
while ($arr = mysqli_fetch_assoc($result)) {
if (!isset($hide) || !in_array($arr['ip'], $hide)) {
echo "<tr>";
$res2=mysqli_query($db_link,"select * from bans where ip='".$arr['ip']."'") or die(mysqli_error($db_link));
echo "<th>".$arr['ip'].((mysqli_num_rows($res2) == 0)?" (Not Banned)":"")."<th>".$arr['host'];
echo "<th>".$arr['count'];
$res2=mysqli_query($db_link,"select count(distinct url, result) as total from accesslog where ip='".$arr['ip']."'") or die (mysqli_error($db_link));
if ($arr2=mysqli_fetch_assoc($res2)) {
echo "/".$arr2['total'];
echo " (".round($arr['count']/$arr2['total'],7).")";
}
echo "<th>".date("Y-m-d H:i:s",$arr['date']);
echo "</tr><tr>";
echo "<th colspan=4>Actions";
echo "</tr><tr>";
echo "<td colspan=4><a href=\"https://www.google.com/search?q=".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[Google]</a> <a href=\"https://www.abuseipdb.com/check/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[AbuseIPDB]</a> <a href=\"http://www.projecthoneypot.org/ip_".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[ProjectHoneyPot]</a> <a href=\"http://www.stopforumspam.com/ipcheck/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[StopForumSpam]</a></td>";
echo "</tr><tr>";
echo "<th colspan=4>Requests sent from this ip";
$query="select distinct url, result, ($pattern) as bad from accesslog where ip='".$arr['ip']."' order by date, id";
$res2=mysqli_query($db_link,$query);
echo "</tr><tr><td colspan=4 style=\"word-break:keep-all\">";
$first=true;
while($arr2=mysqli_fetch_assoc($res2)){
if (!$first) echo "<br>\n";
else $first=false;
if ($arr2['bad']) echo "<font color=\"#f0f0e0\">";
//echo "<pre>";var_dump($arr2["bad"]);echo "</pre>";
echo "[".$arr2['result']."]";
//if ($arr2['bad']) echo "[bad]";
echo " ".htmlspecialchars($arr2['url']);
if ($arr2['bad']) echo "</font>";
}
echo "</td></tr>";
}
}
echo "</table>";
mysqli_close($db_link);
}
echo "<hr><a href=\"/tools/\">[Return]</a> <a href=\"/\">[Home]</a> <a href=\"/source.php?file=tools/iplist.php\">[Source of this page]</a>";
echo "</body></html>";
saveTranslations();
?>
You can also check other includes below (some files are hidden as they are in exclusion list):
functions.php
errors.php
getip.php
lang.php
auth.php
refcheck.php
iplog.php