link.py

import whois
from urllib.parse import urlparse
from datetime import datetime
import requests
from bs4 import BeautifulSoup
import socket
import ssl
import os
import base64
import re
import concurrent.futures

def check_ip_details(domain):
    try:
        ip = socket.gethostbyname(domain)
        response = requests.get(f"http://ip-api.com/json/{ip}", timeout=5)
        if response.status_code == 200:
            data = response.json()
            if data.get('status') == 'success':
                return {
                    "ip": ip,
                    "country": data.get('country', 'Unknown'),
                    "isp": data.get('isp', 'Unknown'),
                    "asn": data.get('as', 'Unknown'),
                    "status": "Success"
                }
        return {"status": "Failed to get IP info"}
    except Exception as e:
        return {"status": "Error", "error": str(e)}

def check_ssl(domain):
    try:
        context = ssl.create_default_context()
        with socket.create_connection((domain, 443), timeout=5) as sock:
            with context.wrap_socket(sock, server_hostname=domain) as ssock:
                cert = ssock.getpeercert()
                issuer = dict(x[0] for x in cert['issuer'])
                not_after = datetime.strptime(cert['notAfter'], "%b %d %H:%M:%S %Y %Z")
                days_left = (not_after - datetime.now()).days
                
                issuer_name = issuer.get('organizationName', issuer.get('commonName', 'Unknown'))
                
                # Check for free or sketchy issuers often used by scams
                risk = "Low Risk"
                if days_left < 30:
                    risk = "High Risk (Expires Soon)"
                elif any(free_ca in issuer_name.lower() for free_ca in ["let's encrypt", "zerossl", "cpanel"]):
                    risk = "Medium Risk (Free SSL)"
                
                return {
                    "valid": True,
                    "issuer": issuer_name,
                    "days_left": days_left,
                    "risk": risk
                }
    except Exception as e:
        return {"valid": False, "error": str(e), "risk": "High Risk (No valid SSL)"}

def check_virustotal(url):
    vt_api_key = os.environ.get("VT_API_KEY", "ab9e3cab0ed9005dda320771722679ff1884b2a2b379b97c724ece4053e89462")
    if not vt_api_key:
        return {"status": "Skipped (No API Key)"}
        
    try:
        url_id = base64.urlsafe_b64encode(url.encode()).decode().strip("=")
        api_url = f"https://www.virustotal.com/api/v3/urls/{url_id}"
        headers = {"x-apikey": vt_api_key}
        response = requests.get(api_url, headers=headers, timeout=5)
        
        if response.status_code == 200:
            stats = response.json()['data']['attributes']['last_analysis_stats']
            malicious = stats.get('malicious', 0)
            suspicious = stats.get('suspicious', 0)
            total_flags = malicious + suspicious
            return {
                "status": "Checked",
                "malicious_flags": malicious,
                "suspicious_flags": suspicious,
                "risk": "High Risk (Scam/Malware Reported!)" if total_flags > 0 else "Low Risk (Clean)"
            }
        else:
            return {"status": f"API Error {response.status_code}"}
    except Exception as e:
         return {"status": f"Failed: {str(e)}"}

def scrape_website(url):
    try:
        response = requests.get(url, timeout=5, headers={"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)"})
        soup = BeautifulSoup(response.content, 'html.parser')
        title = soup.title.string if soup.title else "No Title Found"
        
        text_content = soup.get_text()
        emails = list(set(re.findall(r'[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}', text_content)))
        
        wa_links = []
        for a in soup.find_all('a', href=True):
            if 'wa.me/' in a['href'] or 'api.whatsapp.com' in a['href']:
                wa_links.append(a['href'])

        return {
            "title": title.strip(),
            "status": "Success",
            "redirected_url": response.url,
            "was_redirected": response.url != url,
            "emails": emails[:3],
            "whatsapp_links": list(set(wa_links))[:3]
        }
    except Exception as e:
        return {"title": "Failed to scrape", "status": "Failed", "error": str(e), "was_redirected": False}

def check_domain_forensics(url):
    print(f"[*] Advanced Analysis shuru ho raha hai URL par: {url}")
    
    if not url.startswith("http"):
        url = "https://" + url
        
    try:
        domain = urlparse(url).netloc
    except Exception:
        domain = url.split('/')[0]
        
    results = {
        "original_url": url,
        "domain": domain,
        "status": "Success",
        "age_days": "Unknown",
        "domain_risk": "Unknown",
        "state_impersonation": False
    }
    
    # 1. Scraping & Redirects Check
    print("[*] Checking Redirects & Content...")
    scrape_data = scrape_website(url)
    results["web_content"] = scrape_data
    
    if scrape_data.get("was_redirected"):
        domain = urlparse(scrape_data["redirected_url"]).netloc
        results["final_domain"] = domain
        print(f"[*] Redirected to: {domain}")
        
    # State Impersonation Logic
    title = scrape_data.get('title', '').lower()
    url_lower = url.lower()
    gov_keywords = ['bisp', 'ehsaas', 'challan', 'psca', 'nser', 'gov', 'pass.gov', '8171']
    
    is_impersonating = False
    for kw in gov_keywords:
        # Check if keyword is in title or URL but it's NOT a .gov.pk site
        if (kw in title or kw in url_lower) and not domain.endswith('.gov.pk'):
            is_impersonating = True
            break
            
    results['state_impersonation'] = is_impersonating
        
    # 2. Whois Database Check
    print("[*] Fetching WHOIS data...")
    import socket
    old_timeout = socket.getdefaulttimeout()
    socket.setdefaulttimeout(3.0)
    
    try:
        domain_info = whois.whois(domain)
        creation_date = domain_info.creation_date
        if type(creation_date) is list:
            creation_date = creation_date[0]

        if creation_date:
            if hasattr(creation_date, 'tzinfo') and creation_date.tzinfo is not None:
                creation_date = creation_date.replace(tzinfo=None)
            
            age_in_days = (datetime.now() - creation_date).days
            results["age_days"] = age_in_days
            
            if is_impersonating:
                results["domain_risk"] = "Critical Risk (State Impersonation!)"
            else:
                results["domain_risk"] = "High Risk (Scam)" if age_in_days < 30 else "Low Risk"
        else:
            if is_impersonating:
                results["domain_risk"] = "Critical Risk (State Impersonation!)"
            else:
                results["domain_risk"] = "Unknown (No date found)"
    except socket.timeout:
        print("[!] WHOIS Socket Timeout!")
        results["whois_error"] = "Timeout"
        results["age_days"] = "Unknown"
        results["domain_risk"] = "Critical Risk (State Impersonation!)" if is_impersonating else "Unknown"
    except Exception as e:
        results["whois_error"] = str(e)
        results["age_days"] = "Unknown"
        if is_impersonating:
            results["domain_risk"] = "Critical Risk (State Impersonation!)"
        else:
            results["domain_risk"] = "Unknown"
    finally:
        socket.setdefaulttimeout(old_timeout)

    # 3. SSL Certificate Check
    print("[*] Checking SSL Certificate...")
    ssl_data = check_ssl(domain)
    results["ssl_info"] = ssl_data
    
    # 4. VirusTotal Global Scam Report Check
    print("[*] Checking VirusTotal...")
    vt_data = check_virustotal(url)
    results["virustotal"] = vt_data
    
    # 5. Geolocation & ASN
    print("[*] Checking IP Geolocation...")
    ip_data = check_ip_details(domain)
    results["geolocation"] = ip_data
    
    return results

if __name__ == "__main__":
    print("\n--- TEST: Scam check ---")
    fake_site = "https://ecodsdfu-pa.cc/pk" 
    print(check_domain_forensics(fake_site))