<?php
    error_reporting
(E_ALL E_DEPRECATED);
    include_once 
"../include/variables.php";
    include_once 
"../include/functions.php";
    include_once 
"../include/errors.php";
    include_once 
"../include/getip.php";    
    if (!
function_exists("getinfo")) {
        function 
getinfo() {
            global 
$ip$host;
            return 
"[".date("Y-m-d H:i:s").$ip".(!empty($host)?$host":"")."]";
        }
    }
    
$PHP_SELF=$_SERVER['PHP_SELF'];
    if (isset(
$_SERVER['HTTP_ACCEPT_ENCODING']) && substr_count($_SERVER['HTTP_ACCEPT_ENCODING'], 'gzip')) {
        if (
ob_get_length()) ob_end_clean();
        
ob_start("ob_gzhandler");
    }
    
//else ob_start();
    
if (!empty($_SERVER['HTTPS'])) {
        
$session_options = array(
            
"secure" => true
        
);
        
session_set_cookie_params($session_options);
    }
    
session_start();
    include 
"../include/lang.php";
    include 
"../include/auth.php";
    include 
"../include/refcheck.php";
    if (!
$validref) {
        
$evt="403";
        
header($_SERVER['SERVER_PROTOCOL']." 403 Forbidden");
        include 
"../include/iplog.php";
        die(
"Invalid Referer");
    } 
    include 
"../include/iplog.php";

?>
<html>
<head>
<title>List of Bad IP's and Requests</title>
<style type="text/css">
body { 
    margin: 0px; 
    padding: 5px;
    background: #6F859E;
    color:#eeebf5; 
    font-size:11pt; 
    font-family: Georgia, Palatino, "Palatino Linotype", Times, "Times New Roman", serif;
    text-align:center;
}
p {
    margin: 0px;
    text-indent:1.27cm;
    text-align: justify;

a:link {
    text-decoration:none;
    color: #BDFFD6;
}
a:hover {
    text-decoration:underline;
    color: #FBFAD0;    
}
a:visited {
    text-decoration:none;
    color: #C2E4EF;
}
a:visited:hover {
    text-decoration:underline;
    color: #E5ECD9;    
}
table { 
    border-collapse: collapse; 
    margin: 0px auto 0px auto;
}
th { 
    background: #9aa5af;
}
td { 
    vertical-align:top;
    background: #7382a0;
    text-align:left;
    padding: 1px 2px;
}
h2, h3 {
    text-align:center; 
    margin-top:15px;
    margin-bottom: 12px;
}
img {
    border: 0px;
    padding: 0px;
    margin: 0px;
}
form, pre {
    padding: 0px;
    margin: 0px;
}
pre {
    white-space: pre-wrap;
    word-wrap: break-word;
    overflow:auto;
    text-align:left;
}

</style>    
</head>
<body>
<a href="/tools/">[Return]</a> <a href="/">[Home Page]</a> <a href="/source.php?file=tools/iplist.php">[Source of this page]</a><hr>
<a name="toc"></a>
<a href="#badip">IP's with Big User Agent Count</a><br>
<a href="#badurl">IP's with detected Bad URL'S</a>
<?php 
    
include "../include/db.php";
    if(
$db_link){
        
mysqli_select_db($db_link,$db);
        
$query="select distinct ip, host, count(distinct agent) as count, max(date) as date from accesslog group by ip having count >= 4 order by count desc, date desc limit 200"//limit: server can't process more than 200 at a time
        
$result=mysqli_query($db_link,$query) or die(mysqli_error($db_link));
        echo 
"<a name=\"badip\"></a><h3>IP Adresses with High User Agent Count</h3><hr><p>High User Agent Count usually means a Suspicious IP or a Bad Bot.</p><p><a href=\"#toc\">Back to Contents</a></p><hr>";
        
        echo 
"<table>";
        echo 
"<tr><th>IP<th>Host<th>Known User Agents (Max 15 Shown)<th>Last Seen</tr>";
        
//ip adresses to hide (false positives, etc.)
        
include "include/ipstohide.php";
        
$hide[]="66.249.78.78"//google
        
$hide[]="66.249.75.78";
        
$hide[]="80.208.225.17"//own vpn ip

        
mt_srand((double) microtime() * 1000000);
        if (!
function_exists("func")){
            
//partial randomizer
            
function func($str){
                if (!empty(
$str)) {
                    
$l=strlen($str);
                    
$tmp=""; for($i=0;$i<mt_rand(($l/4),$l);$i++) $tmp.=chr(mt_rand(97,122));
                    if (
strlen($tmp) < $l$tmp.=substr($str$i$l);
                    
$str=$tmp;
                }
                return 
$str;
            }
        }
        function 
agent_callback($input){
            
//todo: complete replace callback function
            //$replace[]='html_entity_decode(("$2"?("hxxp$2".("$3"?"wxw.":"")):"wxw.").func("$5").("$7"?(".".func("$7")):"").".$8")';
            
ob_start();
            echo 
"<pre>";
            
var_dump($input);
            echo 
"</pre>";
            
            return 
ob_get_clean();
        }
        while (
$arr mysqli_fetch_assoc($result)) {
            if (!isset(
$hide) || !in_array($arr['ip'], $hide)) {
            echo 
"<tr>";
            
$res2=mysqli_query($db_link,"select * from bans where ip='".$arr['ip']."'") or die(mysqli_error($db_link));
            echo 
"<th>".$arr['ip'].((mysqli_num_rows($res2) == 0)?" (Not Banned)":"")."<th>".$arr['host'];
            echo 
"<th>".$arr['count'];
            echo 
"<th>".date("Y-m-d H:i:s",$arr['date']);
            echo 
"</tr><tr>";
            echo 
"<th colspan=4>Actions";
            echo 
"</tr><tr>";
            echo 
"<td colspan=4><a href=\"https://www.google.com/search?q=".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[Google]</a> <a href=\"https://www.abuseipdb.com/check/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[AbuseIPDB]</a> <a href=\"http://www.projecthoneypot.org/ip_".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[ProjectHoneyPot]</a> <a href=\"http://www.stopforumspam.com/ipcheck/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[StopForumSpam]</a></td>";
            echo 
"</tr><tr>";
            echo 
"<th colspan=4>User Agents";
            echo 
"</tr><tr>";

            
            
$query="select distinct agent from accesslog where ip='".$arr['ip']."' group by agent order by agent limit 15";
            
$res2=mysqli_query($db_link,$query) or die(mysqli_error($db_link));

            echo 
"</tr><tr><td colspan=4>";
            
            
$first=true;
            while(
$arr2=mysqli_fetch_assoc($res2)){
                if (!
$first) echo "<br>\n";
                else 
$first=false;
                
//censor
                
$search="/(http(s?:\/\/)(www\.)?|(www\.))([a-z0-9\-]+)(\.([a-z0-9\-]+))?\.([a-z0-9]+)/i";
                    
//$arr2['agent']=preg_replace_callback($search, "agent_callback", $arr2['agent']); //callback not completed
        
                
echo !empty($arr2['agent'])?htmlspecialchars($arr2['agent']):"(Blank)";
            }
            
            }
            echo 
"</tr>";
            
        }
        
        
//
        
echo "</table><hr><a name=\"badurl\"></a><h3>IP Adresses with Bad URL's Detected</h3><hr><p>Big Amount of Bad URL's means that an IP Owner is a Possible Hacker or Bad Bot</p><p><a href=\"#toc\">Back to Contents</a></p><hr>";
        
$pattern "url like '%\%00%' or url like '%\%0a%' or url like '%\%0d%' or url like '%\%22%' or url regexp '.*%25[^2][^0].*' or url like '%\%26%' or url like '%\%27%' or url like '%\%28%' or url like '%\%29%' or url like '%\%3c%' or url like '%=%\%3d%' or url like '%\%3e%' or url like '%\%40%' or url like '%\%5c%' or url like '%\%7b%' or url like '%\%7c%' or url like '%\%e3%' or url like '%\%c0\%af%' or url like '%\.\.%' or url like '%[%' or url like '%]%' or url like '%passwd%' or url like '/mysql%' or url like '/pma%' or url like '%/database\.yml%' or url like '%<script%' or url like '%=index\.%' or url regexp '.*=.*[^A-Za-z0-9]cmd[^A-Za-z0-9].*' or url like '%=%\?%' or url like '%<%' or url like '%>%' or url like '%\'%' or url like '%\"%' or url like '%\\\\\\\\%' or url like '%order+by%' or url regexp 'char\\\\(([0-9]{0,},){1,}[0-9]+\\\\)' or url regexp '[^A-Za-z&]+(and|or)[^A-Za-z&]+[\'\"]?[A-Za-z0-9]+[\'\"]?[^A-Za-z&(]*=[^A-Za-z&(]*[\'\"]?[A-Za-z0-9]+[\'\"]?'";
        
//echo htmlspecialchars($pattern);
        
$query="select ip, host, max(date) as date, count(distinct url, result) as count from accesslog where $pattern group by ip having count >= 1 order by count desc, date desc";
        
$result=mysqli_query($db_link,$query) or die(mysqli_error($db_link));

        echo 
"<style>font {display:inline-block;}</style>";
        echo 
"<table>";
        echo 
"<tr><th>IP<th>Host<th>Bad/Total URL Count<th>Last Seen</tr>";
        while (
$arr mysqli_fetch_assoc($result)) {
            if (!isset(
$hide) || !in_array($arr['ip'], $hide)) {
                echo 
"<tr>";
                
$res2=mysqli_query($db_link,"select * from bans where ip='".$arr['ip']."'") or die(mysqli_error($db_link));
                echo 
"<th>".$arr['ip'].((mysqli_num_rows($res2) == 0)?" (Not Banned)":"")."<th>".$arr['host'];
                echo 
"<th>".$arr['count'];            
                
$res2=mysqli_query($db_link,"select count(distinct url, result) as total from accesslog where ip='".$arr['ip']."'") or die (mysqli_error($db_link));
                if (
$arr2=mysqli_fetch_assoc($res2)) {
                    echo 
"/".$arr2['total'];
                    echo 
" (".round($arr['count']/$arr2['total'],7).")";                    
                }                    
                
                echo 
"<th>".date("Y-m-d H:i:s",$arr['date']);
                echo 
"</tr><tr>";
                echo 
"<th colspan=4>Actions";
                echo 
"</tr><tr>";
                echo 
"<td colspan=4><a href=\"https://www.google.com/search?q=".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[Google]</a> <a href=\"https://www.abuseipdb.com/check/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[AbuseIPDB]</a> <a href=\"http://www.projecthoneypot.org/ip_".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[ProjectHoneyPot]</a> <a href=\"http://www.stopforumspam.com/ipcheck/".$arr['ip']."\" rel=\"nofollow\" target=\"_blank\">[StopForumSpam]</a></td>";
                echo 
"</tr><tr>";
                echo 
"<th colspan=4>Requests sent from this ip";
                
$query="select distinct url, result, ($pattern) as bad from accesslog where ip='".$arr['ip']."' order by date, id";
                
$res2=mysqli_query($db_link,$query);
                echo 
"</tr><tr><td colspan=4 style=\"word-break:keep-all\">";
                
$first=true;
                while(
$arr2=mysqli_fetch_assoc($res2)){
                    if (!
$first) echo "<br>\n";
                    else 
$first=false;
                    if (
$arr2['bad']) echo "<font color=\"#f0f0e0\">";
                    
//echo "<pre>";var_dump($arr2["bad"]);echo "</pre>";
                    
echo "[".$arr2['result']."]";
                    
//if ($arr2['bad']) echo "[bad]";
                    
echo " ".htmlspecialchars($arr2['url']);
                    
                    if (
$arr2['bad']) echo "</font>";
                }
                echo 
"</td></tr>";
            }
        }
        echo 
"</table>";
        
mysqli_close($db_link);
    }
echo 
"<hr><a href=\"/tools/\">[Return]</a> <a href=\"/\">[Home]</a> <a href=\"/source.php?file=tools/iplist.php\">[Source of this page]</a>";
echo 
"</body></html>";
    
?>

You can also check other includes below (some files are hidden as they are in exclusion list):
functions.php
errors.php
getip.php
lang.php
auth.php
refcheck.php
iplog.php