{ "cells": [ { "cell_type": "markdown", "metadata": {}, "source": [ "### Breaking the file by lines" ] }, { "cell_type": "code", "execution_count": 1, "metadata": { "collapsed": true }, "outputs": [], "source": [ "botsText= open('message.txt',encoding='utf-8').read().split(\"\\n\")" ] }, { "cell_type": "code", "execution_count": 2, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "155520" ] }, "execution_count": 2, "metadata": {}, "output_type": "execute_result" } ], "source": [ "len(botsText)" ] }, { "cell_type": "code", "execution_count": 3, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "'Bot: false Sat Apr 21 2018 16:19:49 GMT+0000 (UTC) ip 144.76.38.73 Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/) Path: /Discourse/XTags/BASIC'" ] }, "execution_count": 3, "metadata": {}, "output_type": "execute_result" } ], "source": [ "botsText[41854]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Lets try some regex" ] }, { "cell_type": "code", "execution_count": 4, "metadata": { "collapsed": true }, "outputs": [], "source": [ "import re\n", "import json\n", "from random import randint" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Spliting bots into a big list\n", "OK OK it is possible to make a list of dictionaries" ] }, { "cell_type": "code", "execution_count": 6, "metadata": {}, "outputs": [], "source": [ "bots=[]\n", "ip_regex=re.compile(r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')\n", "wp_regex=re.compile(r'(?<=POST) {.*}')\n", "path_regex=re.compile(r'(?<=Path:) .*')\n", "time_regex=re.compile(r\"((?<=Bot: false\\ ) .*(?=GMT))|((?<=Bot: true\\ ) .*(?=GMT))\")\n", "for bot in range(0,len(botsText)):\n", " b=botsText[bot] #this bot\n", " ip=ip_regex.search(b).group(0)\n", " path=path_regex.findall(b)[0]\n", " wp_p=wp_regex.findall(b)\n", " time=time_regex.findall(b)[0][0]\n", " agent_regex=re.compile(r\"(?<=\"+ip+r').*(?=Path)')\n", " agent=\" \".join(agent_regex.search(b).group(0).split())\n", " \n", "\n", " bots.append({\"ip\":ip,\"date\":time,\"path\":path,\"post\":\"\",\"agent\":agent})\n", "\n", " #if post:\n", " if(len(wp_p)>0):\n", " try:\n", " p=json.loads(wp_p[0])\n", " except:\n", " p=wp_p[0]\n", "# print(p)\n", " bots[bot][\"post\"]=(p)\n", " agent_regex=re.compile(r\"(?<=\"+ip+r').*(?=POST)')\n", " agent=\" \".join(agent_regex.search(b).group(0).split())\n", " bots[bot][\"agent\"]=agent" ] }, { "cell_type": "code", "execution_count": 7, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'agent': 'cheeringbot',\n", " 'date': '',\n", " 'ip': '162.243.17.139',\n", " 'path': ' /yougotthis',\n", " 'post': ''}" ] }, "execution_count": 7, "metadata": {}, "output_type": "execute_result" } ], "source": [ "bots[15046]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Ok, so things seem to be inside of a big list of dictionaries, lets find out something useful" ] }, { "cell_type": "code", "execution_count": 8, "metadata": { "collapsed": true }, "outputs": [], "source": [ "from collections import Counter\n" ] }, { "cell_type": "code", "execution_count": 10, "metadata": {}, "outputs": [], "source": [ "ips=[]\n", "agents=[]\n", "passwords=[]\n", "for bot in bots:\n", " ips.append(bot[\"ip\"])\n", " agents.append(bot[\"agent\"])\n", " if(bot[\"post\"]!=\"\"):\n", " try:\n", " passwords.append(bot[\"post\"][\"pwd\"])\n", " except:\n", " x=1 #do nothing\n", "# print(bot[\"post\"])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Lets see which IP visited the most" ] }, { "cell_type": "code", "execution_count": 13, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Most common ip is: [('103.224.250.160', 20706)]\n" ] } ], "source": [ "ip_count=Counter(ips)\n", "ip_count.most_common(10)\n", "top5000=ip_count.most_common(5000)\n", "print(\"Most common ip is: \"+ str(ip_count.most_common(1)))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### What about the User Agents" ] }, { "cell_type": "code", "execution_count": 15, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[('Mozilla/5.0', 82206),\n", " ('Mozilla/5.0 (compatible; MJ12bot/v1.4.8; http://mj12bot.com/)', 29660),\n", " ('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',\n", " 18295),\n", " ('Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0', 10495),\n", " ('cheeringbot', 3700),\n", " ('Mozilla/5.0 (compatible; MJ12bot/v1.4.7; http://mj12bot.com/)', 3222),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',\n", " 1423),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36',\n", " 1272),\n", " ('Googlebot-Image/1.0', 1087),\n", " ('hourlybot', 676),\n", " ('LightspeedSystemsCrawler Mozilla/5.0 (Windows; U; MSIE 9.0; Windows NT 9.0; en-US',\n", " 503),\n", " ('Mozilla/5.0 (compatible; bingbot/2.0; +http://www.bing.com/bingbot.htm)',\n", " 285),\n", " ('spambot', 200),\n", " ('undefined', 187),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64)', 179),\n", " ('Mozilla/5.0 (Windows NT 6.1; rv:52.0) Gecko/20100101 Firefox/52.0', 124),\n", " ('Mozilla/5.0 (Linux; Android 6.0.1; Nexus 5X Build/MMB29P) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.96 Mobile Safari/537.36 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)',\n", " 114),\n", " ('Mozilla/5.0 (Linux; U; Android 2.2) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1',\n", " 107),\n", " ('Mozilla/5.0 (compatible; YandexBot/3.0; +http://yandex.com/bots)', 101),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/604.5.6 (KHTML, like Gecko) Version/11.0.3 Safari/604.5.6',\n", " 100),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',\n", " 94),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',\n", " 85),\n", " ('Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)', 85),\n", " ('facebookexternalhit/1.1 (+http://www.facebook.com/externalhit_uatext.php)',\n", " 69),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36',\n", " 62),\n", " ('wonderingbot', 60),\n", " ('Python-urllib/2.7', 55),\n", " ('ZmEu', 54),\n", " ('Mozilla/5.0 zgrab/0.x', 47),\n", " ('Mozilla', 35),\n", " ('python-requests/2.18.4', 34),\n", " ('Mozilla/5.0 (Linux; Android 7.0) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Focus/4.0.2 Chrome/56.0.2924.87 Mobile Safari/537.36',\n", " 28),\n", " ('Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.94 Safari/537.36',\n", " 25),\n", " ('Mozilla/5.0 (compatible; ips-agent)', 22),\n", " ('Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.0', 18),\n", " ('Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\n", " 18),\n", " ('test bot', 18),\n", " ('Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',\n", " 17),\n", " (', 212.109.17.68 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 16),\n", " ('Mozilla/5.0 (Linux; U; Android 4.2.2; es-us; NYX_JOIN Build/JDQ39) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 Mobile Safari/534.30',\n", " 16),\n", " ('Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0; SLCC1; .NET CLR 2.0.50727; Media Center PC 5.0; .NET CLR 3.5.21022; .NET CLR 3.5.30729; .NET CLR 3.0.30618)',\n", " 16),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36',\n", " 15),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Safari/537.36',\n", " 15),\n", " ('feedingbot', 15),\n", " ('Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',\n", " 14),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36',\n", " 14),\n", " ('goodluckbot', 13),\n", " ('hellobot', 12),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.1 Safari/605.1.15',\n", " 12),\n", " (', 176.115.152.5 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 11),\n", " ('Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',\n", " 10),\n", " ('Go-http-client/1.1', 10),\n", " ('Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0',\n", " 10),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36',\n", " 9),\n", " ('Mozilla/5.0 (compatible; NetcraftSurveyAgent/1.0; +info@netcraft.com)', 9),\n", " ('Mozilla/5.0(WindowsNT6.1;rv:31.0)Gecko/20100101Firefox/31.0', 9),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:58.0) Gecko/20100101 Firefox/58.0',\n", " 9),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.139 Safari/537.36',\n", " 9),\n", " ('Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html',\n", " 9),\n", " ('Mozilla/5.0 (Windows NT 5.1; rv:9.0.1) Gecko/20100101 Firefox/9.0.1', 8),\n", " ('Mozilla/5.0 (iPhone; CPU iPhone OS 11_2_6 like Mac OS X) AppleWebKit/604.1.34 (KHTML, like Gecko) CriOS/65.0.3325.152 Mobile/15D100 Safari/604.1',\n", " 8),\n", " ('Wget(linux)', 8),\n", " ('Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)',\n", " 7),\n", " ('User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR 1.0.3705',\n", " 7),\n", " ('Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.75 Safari/537.36 Google Favicon',\n", " 7),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.65 Safari/537.31',\n", " 7),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:59.0) Gecko/20100101 Firefox/59.0',\n", " 7),\n", " ('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:x.x.x) Gecko/20041107 Firefox/x.x',\n", " 7),\n", " ('Cloud mapping experiment. Contact research@pdrlabs.net', 6),\n", " ('python-requests/2.12.3', 6),\n", " ('Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36',\n", " 6),\n", " ('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6',\n", " 5),\n", " ('masscan/1.0 (https://github.com/robertdavidgraham/masscan)', 5),\n", " ('Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64)', 5),\n", " ('Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/34.0.1847.137 Safari/537.36',\n", " 5),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36',\n", " 5),\n", " ('Mozilla/7.0 (compatible; MSIE 8.0; Windows Seven)', 5),\n", " ('stealthbot', 5),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36 Edge/16.16299',\n", " 5),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_1) AppleWebKit/601.2.4 (KHTML, like Gecko) Version/9.0.1 Safari/601.2.4 facebookexternalhit/1.1 Facebot Twitterbot/1.0',\n", " 4),\n", " ('curl/7.55.1', 4),\n", " (', 178.57.123.150 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 4),\n", " ('Mozilla/5.0 (Windows NT 6.1; rv:45.0) Gecko/20100101 Firefox/45.0', 4),\n", " ('okhttp/3.5.0', 4),\n", " (', 79.134.3.25 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 4),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36',\n", " 4),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:59.0) Gecko/20100101 Firefox/59.0',\n", " 4),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',\n", " 4),\n", " ('Mozilla/5.0 (Linux; Android 7.0; SM-G930F Build/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/65.0.3325.109 Mobile Safari/537.36 [FB_IAB/FB4A;FBAV/167.0.0.42.94;]',\n", " 4),\n", " (', 94.139.100.110 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 4),\n", " ('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-us; rv:1.7.12) Gecko/20050919 Firefox/1.0.7',\n", " 4),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36',\n", " 4),\n", " (', 94.29.124.77 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 4),\n", " (', 194.190.24.138 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 4),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:50.0) Gecko/20100101 Firefox/50.0',\n", " 4),\n", " ('Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36',\n", " 4),\n", " ('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)', 4),\n", " ('Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)', 4),\n", " ('Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like Gecko', 4),\n", " ('Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.117 Safari/537.36',\n", " 4)]" ] }, "execution_count": 15, "metadata": {}, "output_type": "execute_result" } ], "source": [ "agent_count=Counter(agents)\n", "agent_count.most_common(100)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### What about the most common passwords?" ] }, { "cell_type": "code", "execution_count": 16, "metadata": { "scrolled": false }, "outputs": [ { "data": { "text/plain": [ "[('admin1234', 8),\n", " ('admin123456', 8),\n", " ('abc123', 8),\n", " ('pass123', 7),\n", " ('passw0rd', 7),\n", " ('toor', 7),\n", " ('qwerty123', 7),\n", " ('123qwerty', 7),\n", " ('1234561', 7),\n", " ('ambulance', 7),\n", " ('hahaha', 7),\n", " ('leader', 7),\n", " ('skater', 7),\n", " ('sun', 7),\n", " ('pass1', 7),\n", " ('password01', 7),\n", " ('1313', 7),\n", " ('argent', 7),\n", " ('bridge', 7),\n", " ('Welcome1', 7),\n", " ('000', 6),\n", " ('0000', 6),\n", " ('00000000', 6),\n", " ('007007', 6),\n", " ('0123', 6)]" ] }, "execution_count": 16, "metadata": {}, "output_type": "execute_result" } ], "source": [ "pass_count=Counter(passwords)\n", "pass_count.most_common(25)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "___\n", "\n", "### Lets look at the wordpress attacks" ] }, { "cell_type": "code", "execution_count": 25, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "5010" ] }, "execution_count": 25, "metadata": {}, "output_type": "execute_result" } ], "source": [ "wp_bots=[]\n", "for bot in bots:\n", " try:\n", " if(bot[\"post\"][\"rememberme\"]==\"forever\"):\n", " # wp_bots.append(\"ip: \"+bot[\"ip\"]+\" agent: \"+bot[\"agent\"])\n", " wp_bots.append(bot[\"ip\"])\n", " except:\n", " ignore=bot\n", "\n", "len(wp_bots)" ] }, { "cell_type": "code", "execution_count": 27, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[('95.79.33.65', 23),\n", " ('176.197.78.250', 22),\n", " ('93.157.168.25', 21),\n", " ('37.143.19.62', 20),\n", " ('46.61.152.185', 19),\n", " ('5.104.206.2', 19),\n", " ('185.59.58.52', 18),\n", " ('91.192.173.25', 18),\n", " ('185.13.112.104', 18),\n", " ('62.140.230.163', 17),\n", " ('109.172.30.247', 17),\n", " ('192.95.168.172', 16),\n", " ('93.170.177.233', 16),\n", " ('80.64.18.225', 16),\n", " ('185.81.248.18', 16),\n", " ('188.0.135.155', 16),\n", " ('176.120.211.202', 16),\n", " ('212.118.40.117', 16),\n", " ('46.35.243.27', 15),\n", " ('195.9.51.62', 15)]" ] }, "execution_count": 27, "metadata": {}, "output_type": "execute_result" } ], "source": [ "wp_count=Counter(wp_bots)\n", "wp_count.most_common(20)" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Let's see how many unique ips" ] }, { "cell_type": "code", "execution_count": 28, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "WP attacks: 5010\n", "WP Unique IPs: 2110\n" ] } ], "source": [ "unique_wp=list(set(wp_bots))\n", "print(\"WP attacks: \"+str(len(wp_bots)))\n", "print(\"WP Unique IPs: \"+str(len(unique_wp)))" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## This is really inreresting because out of the 5010 hacking attempts, they all came from 2110 differnt ip address. But the attacks are identicall and follow a particular order. Meaning that the attacker has access to over 2000 machines or some sort of vpn/tor to hide his real origin. " ] }, { "cell_type": "code", "execution_count": 29, "metadata": { "collapsed": true }, "outputs": [], "source": [ "import pygeoip" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### IP locator, this is a library to find where the geo location of an ip might be. Not sure how accurate" ] }, { "cell_type": "code", "execution_count": 30, "metadata": { "collapsed": true }, "outputs": [], "source": [ "def ipLocator(ip):\n", " GeoIPDatabase = 'GeoLiteCity.dat'\n", " ipData = pygeoip.GeoIP(GeoIPDatabase)\n", " record = ipData.record_by_name(ip)\n", "# print(\"The geolocation for IP Address %s is:\" % ip)\n", "# print(\"Accurate Location: %s, %s, %s\" % (record['city'], record['region_code'], record['country_name']))\n", "# print(\"General Location: %s\" % (record['metro_code']))\n", " data=ipData.record_by_addr(ip)\n", "# print(data)\n", " return(data)\n" ] }, { "cell_type": "code", "execution_count": 32, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "('95.79.33.65', 23)" ] }, "execution_count": 32, "metadata": {}, "output_type": "execute_result" } ], "source": [ "top10=wp_count.most_common(10)\n", "top10[0]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Lets see where the top attacker comes form" ] }, { "cell_type": "code", "execution_count": 35, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'area_code': 0,\n", " 'city': 'Nizhniy Novgorod',\n", " 'continent': 'EU',\n", " 'country_code': 'RU',\n", " 'country_code3': 'RUS',\n", " 'country_name': 'Russian Federation',\n", " 'dma_code': 0,\n", " 'latitude': 56.326899999999995,\n", " 'longitude': 44.00749999999999,\n", " 'metro_code': None,\n", " 'postal_code': '603028',\n", " 'region_code': '51',\n", " 'time_zone': 'Europe/Moscow'}" ] }, "execution_count": 35, "metadata": {}, "output_type": "execute_result" } ], "source": [ "ipLocator(top10[0][0])" ] }, { "cell_type": "code", "execution_count": 36, "metadata": {}, "outputs": [], "source": [ "locations=[]\n", "for ip in top10:\n", " data=ipLocator(ip[0])\n", " lon=data[\"longitude\"]\n", " lat=data[\"latitude\"]\n", " url=\"https://www.google.com/maps/place/\"+str(lat)+\",\"+str(lon)\n", " loc=(\"(\"+str(lat)+\",\"+str(lon)+\")\")\n", " locations.append(loc)\n", "# print(url)\n", "# !/usr/bin/open -a \"/Applications/Google Chrome.app\" {url}\n", "top_ten_ip_locations=\"[\"+(\",\".join(locations))+\"]\"\n", "# locat.append(json.loads(\",\".join(locations)))\n" ] }, { "cell_type": "code", "execution_count": 38, "metadata": { "collapsed": true }, "outputs": [], "source": [ "key=\"Get your own key\"" ] }, { "cell_type": "code", "execution_count": 39, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "list" ] }, "execution_count": 39, "metadata": {}, "output_type": "execute_result" } ], "source": [ "from ast import literal_eval\n", "top_ten_ip_locations=literal_eval(top_ten_ip_locations)\n", "type(top_ten_ip_locations)" ] }, { "cell_type": "code", "execution_count": 40, "metadata": { "scrolled": false }, "outputs": [ { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "757eed9e68304e7e99a2db89a05e474f", "version_major": 2, "version_minor": 0 }, "text/plain": [ "A Jupyter Widget" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "import gmaps\n", "import gmaps.datasets\n", "import gmaps.geojson_geometries\n", "gmaps.configure(api_key=key)\n", "\n", "marker_locations = top_ten_ip_locations\n", "\n", "fig = gmaps.figure()\n", "markers = gmaps.marker_layer(marker_locations)\n", "fig.add_layer(markers)\n", "fig" ] }, { "cell_type": "markdown", "metadata": { "collapsed": true }, "source": [ "### top 100" ] }, { "cell_type": "code", "execution_count": 41, "metadata": {}, "outputs": [ { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "8730548cc8db4682932688b25b393a6a", "version_major": 2, "version_minor": 0 }, "text/plain": [ "A Jupyter Widget" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "top100=wp_count.most_common(100)\n", "locations=[]\n", "for ip in top100:\n", " data=ipLocator(ip[0])\n", " lon=data[\"longitude\"]\n", " lat=data[\"latitude\"]\n", "# url=\"https://www.google.com/maps/place/\"+str(lat)+\",\"+str(lon)\n", " loc=(\"(\"+str(lat)+\",\"+str(lon)+\")\")\n", " locations.append(loc)\n", "# !/usr/bin/open -a \"/Applications/Google Chrome.app\" {url}\n", "top_100_ip_locations=\"[\"+(\",\".join(locations))+\"]\"\n", "top_100_ip_locations=literal_eval(top_100_ip_locations)\n", "\n", "marker_locations = top_100_ip_locations\n", "\n", "fig = gmaps.figure()\n", "markers = gmaps.marker_layer(marker_locations)\n", "fig.add_layer(markers)\n", "fig" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### The previous maps are useful but it would be cooler to show this as a heatmap" ] }, { "cell_type": "code", "execution_count": 42, "metadata": { "scrolled": false }, "outputs": [ { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "e65dd1d148d948fd83ccb1aed251a5e2", "version_major": 2, "version_minor": 0 }, "text/plain": [ "A Jupyter Widget" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "top100=wp_count.most_common(700)\n", "locations=[]\n", "visits=[]\n", "for ip in top100:\n", " data=ipLocator(ip[0])\n", " try:\n", " lon=data[\"longitude\"]\n", " lat=data[\"latitude\"]\n", " # url=\"https://www.google.com/maps/place/\"+str(lat)+\",\"+str(lon)\n", " loc=(\"(\"+str(lat)+\",\"+str(lon)+\")\")\n", " locations.append(loc)\n", " visits.append(ip[1])\n", " except:\n", " do=\"nothing\"\n", "# !/usr/bin/open -a \"/Applications/Google Chrome.app\" {url}\n", "top_100_ip_locations=\"[\"+(\",\".join(locations))+\"]\"\n", "top_100_ip_locations=literal_eval(top_100_ip_locations)\n", "\n", "marker_locations = top_100_ip_locations\n", "\n", "fig = gmaps.figure(map_type='SATELLITE',layout={'width': '960px', 'height': '560px'},center=(20,0),zoom_level=2)\n", "fig.add_layer(gmaps.heatmap_layer(marker_locations,weights=visits,max_intensity=25,point_radius=10.0))\n", "fig" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "## Grouping by IPs\n", "\n", "Bots coming with the same IP should be treated as one." ] }, { "cell_type": "code", "execution_count": 45, "metadata": { "collapsed": true }, "outputs": [], "source": [ "def checkIP(ip):\n", " for bot in range(0,len(unique_bots)):\n", " if unique_bots[bot][\"ip\"]== ip:\n", " return bot\n", " \n", " return False" ] }, { "cell_type": "code", "execution_count": 47, "metadata": {}, "outputs": [], "source": [ "unique_bots=[]\n", "ip_regex=re.compile(r'\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}')\n", "wp_regex=re.compile(r'(?<=POST) {.*}')\n", "path_regex=re.compile(r'(?<=Path:) .*')\n", "time_regex=re.compile(r\"((?<=Bot: false\\ ) .*(?=GMT))|((?<=Bot: true) .*(?=GMT))\")\n", "for bot in range(0,len(botsText)):\n", " b=botsText[bot] #this bot\n", " ip=ip_regex.search(b).group(0)\n", " path=path_regex.findall(b)[0]\n", " wp_p=wp_regex.findall(b)\n", " time=time_regex.findall(b)[0][0]\n", " agent_regex=re.compile(r\"(?<=\"+ip+r').*(?=POST)|(?<='+ip+r').*(?=Path)')\n", " agent=\" \".join(agent_regex.search(b).group(0).split())\n", " \n", " botMatchIndex=checkIP(ip)\n", " if botMatchIndex is False:\n", " unique_bots.append({\"ip\":ip,\"date\":[time],\"path\":[path],\"post\":[],\"agent\":[agent]})\n", " #if post:\n", " if(len(wp_p)>0):\n", " try:\n", " p=json.loads(wp_p[0])\n", " except:\n", " p=wp_p[0]\n", "# print(p)\n", " #Since we are just appending to uniqeBots, this bot has to be the last one we added, len(unique_bots)-1\n", " unique_bots[len(unique_bots)-1][\"post\"].append(p)\n", " else:\n", " unique_bots[botMatchIndex][\"agent\"].append(agent)\n", " unique_bots[botMatchIndex][\"date\"].append(time)\n", " unique_bots[botMatchIndex][\"path\"].append(path)\n", " if(len(wp_p)>0):\n", " try:\n", " p=json.loads(wp_p[0])\n", " except:\n", " p=wp_p[0]\n", "# print(p)\n", " #Since we are just appending to uniqeBots, this bot has to be the last one we added, len(unique_bots)-1\n", " unique_bots[botMatchIndex][\"post\"].append(p)\n", "\n", "\n", "\n", "\n" ] }, { "cell_type": "code", "execution_count": 48, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "3499\n", "155520\n" ] } ], "source": [ "print(len(unique_bots))\n", "print(len(bots))\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Testing a bot to see what it looks like" ] }, { "cell_type": "code", "execution_count": 50, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "{'agent': ['Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0',\n", " 'Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0'],\n", " 'date': [' Wed Apr 04 2018 11:44:59 ',\n", " ' Wed Apr 04 2018 11:44:59 ',\n", " ' Tue Apr 17 2018 12:13:56 ',\n", " ' Tue Apr 17 2018 12:13:56 ',\n", " ' Thu Apr 19 2018 12:12:11 ',\n", " ' Thu Apr 19 2018 12:12:11 ',\n", " ' Mon Apr 23 2018 11:50:44 ',\n", " ' Mon Apr 23 2018 11:50:44 ',\n", " ' Mon Apr 23 2018 14:50:43 ',\n", " ' Mon Apr 23 2018 14:50:44 ',\n", " ' Fri Apr 27 2018 14:49:58 ',\n", " ''],\n", " 'ip': '194.135.211.170',\n", " 'path': [' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php',\n", " ' /wp-login.php'],\n", " 'post': [{'log': 'symbiosis',\n", " 'pwd': '333',\n", " 'redirect_to': 'wp-login-error.html',\n", " 'rememberme': 'forever',\n", " 'submit': 'Login'},\n", " {'log': 'administrator',\n", " 'pwd': 'tarzan',\n", " 'redirect_to': 'wp-login-error.html',\n", " 'rememberme': 'forever',\n", " 'submit': 'Login'},\n", " {'log': 'fitnessweightwarrior',\n", " 'pwd': '******',\n", " 'redirect_to': 'wp-login-error.html',\n", " 'rememberme': 'forever',\n", " 'submit': 'Login'},\n", " {'log': 'admin',\n", " 'pwd': 'pass12',\n", " 'redirect_to': 'wp-login-error.html',\n", " 'rememberme': 'forever',\n", " 'submit': 'Login'},\n", " {'log': 'administrator',\n", " 'pwd': 'xxx',\n", " 'redirect_to': 'wp-login-error.html',\n", " 'rememberme': 'forever',\n", " 'submit': 'Login'},\n", " {'log': 'symbiosis',\n", " 'pwd': 'mud',\n", " 'redirect_to': 'wp-login-error.html',\n", " 'rememberme': 'forever',\n", " 'submit': 'Login'}]}" ] }, "execution_count": 50, "metadata": {}, "output_type": "execute_result" } ], "source": [ " unique_bots[123]" ] }, { "cell_type": "code", "execution_count": 51, "metadata": { "collapsed": true }, "outputs": [], "source": [ "def bot_by_ip(ip):\n", " for bot in unique_bots:\n", " if(bot[\"ip\"]==ip):\n", " return bot\n", " return (\"ip not found\")\n", " \n", " " ] }, { "cell_type": "code", "execution_count": 52, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[('95.79.33.65', 23),\n", " ('176.197.78.250', 22),\n", " ('93.157.168.25', 21),\n", " ('37.143.19.62', 20),\n", " ('46.61.152.185', 19),\n", " ('5.104.206.2', 19),\n", " ('185.59.58.52', 18),\n", " ('91.192.173.25', 18),\n", " ('185.13.112.104', 18),\n", " ('62.140.230.163', 17)]" ] }, "execution_count": 52, "metadata": {}, "output_type": "execute_result" } ], "source": [ "top10" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### Lets take a look by individual bot" ] }, { "cell_type": "code", "execution_count": 53, "metadata": { "collapsed": true }, "outputs": [], "source": [ "pwd=[]\n", "user=[]\n", "p=bot_by_ip(top10[0][0])[\"post\"]\n", "for attempt in p:\n", " pwd.append(attempt[\"pwd\"])\n", " user.append(attempt[\"log\"])" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "### passwords tried by top 1 bot:" ] }, { "cell_type": "code", "execution_count": 54, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['happy1',\n", " '11223344',\n", " '31337',\n", " '43214321',\n", " 'adam',\n", " 'administrator12345',\n", " 'diablo',\n", " 'invalid',\n", " 'Kristy',\n", " 'monitor',\n", " 'lier',\n", " 'N/A',\n", " 'she',\n", " 'slash',\n", " 'sniper',\n", " 'michael',\n", " 'zyxel',\n", " 'maxima',\n", " 'lutte',\n", " 'mirror',\n", " 'rosebud',\n", " 'team',\n", " 'smooth']" ] }, "execution_count": 54, "metadata": {}, "output_type": "execute_result" } ], "source": [ "pwd" ] }, { "cell_type": "code", "execution_count": 55, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "['administrator',\n", " 'symbiosis',\n", " 'administrator',\n", " 'admin',\n", " 'fitnessweightwarrior',\n", " 'admin',\n", " 'admin',\n", " 'admin',\n", " 'admin',\n", " 'administrator',\n", " 'admin',\n", " 'fitnessweightwarrior',\n", " 'admin',\n", " 'admin',\n", " 'fitnessweightwarrior',\n", " 'admin',\n", " 'administrator',\n", " 'admin',\n", " 'admin',\n", " 'administrator',\n", " 'administrator',\n", " 'admin',\n", " 'fitnessweightwarrior']" ] }, "execution_count": 55, "metadata": {}, "output_type": "execute_result" } ], "source": [ "user" ] }, { "cell_type": "code", "execution_count": 56, "metadata": {}, "outputs": [ { "data": { "text/plain": [ "[' Fri Apr 06 2018 07:09:52 ',\n", " ' Fri Apr 06 2018 07:09:52 ',\n", " ' Sat Apr 07 2018 04:22:08 ',\n", " ' Sat Apr 07 2018 04:22:08 ',\n", " ' Sun Apr 08 2018 22:30:28 ',\n", " ' Sun Apr 08 2018 22:30:28 ',\n", " ' Mon Apr 09 2018 03:47:56 ',\n", " ' Mon Apr 09 2018 03:47:56 ',\n", " ' Mon Apr 09 2018 13:48:47 ',\n", " ' Mon Apr 09 2018 13:48:47 ',\n", " ' Mon Apr 09 2018 15:51:46 ',\n", " ' Mon Apr 09 2018 15:51:46 ',\n", " ' Wed Apr 11 2018 18:17:02 ',\n", " ' Wed Apr 11 2018 18:17:03 ',\n", " ' Fri Apr 13 2018 12:33:16 ',\n", " ' Fri Apr 13 2018 12:33:16 ',\n", " ' Fri Apr 13 2018 18:25:41 ',\n", " ' Fri Apr 13 2018 18:25:41 ',\n", " ' Fri Apr 13 2018 23:02:05 ',\n", " ' Fri Apr 13 2018 23:02:05 ',\n", " ' Sat Apr 14 2018 03:06:21 ',\n", " ' Sat Apr 14 2018 03:06:21 ',\n", " ' Sun Apr 15 2018 01:21:12 ',\n", " ' Sun Apr 15 2018 01:21:12 ',\n", " ' Mon Apr 16 2018 19:18:34 ',\n", " ' Mon Apr 16 2018 19:18:34 ',\n", " ' Tue Apr 17 2018 09:00:11 ',\n", " ' Tue Apr 17 2018 09:00:11 ',\n", " ' Tue Apr 17 2018 09:41:50 ',\n", " ' Tue Apr 17 2018 09:41:50 ',\n", " ' Wed Apr 18 2018 11:36:58 ',\n", " ' Wed Apr 18 2018 11:36:59 ',\n", " ' Fri Apr 20 2018 22:10:36 ',\n", " ' Sat Apr 21 2018 21:07:49 ',\n", " ' Sun Apr 22 2018 01:46:24 ',\n", " ' Mon Apr 23 2018 03:08:40 ',\n", " ' Mon Apr 23 2018 03:08:40 ',\n", " ' Fri Apr 27 2018 11:43:51 ',\n", " '',\n", " ' Fri Apr 27 2018 14:04:39 ',\n", " '',\n", " ' Sat Apr 28 2018 00:15:48 ',\n", " '',\n", " ' Sat Apr 28 2018 13:46:36 ',\n", " '',\n", " ' Sun Apr 29 2018 14:53:11 ',\n", " '',\n", " ' Sun Apr 29 2018 17:20:58 ',\n", " '']" ] }, "execution_count": 56, "metadata": {}, "output_type": "execute_result" } ], "source": [ "bot_by_ip(top100[0][0])[\"date\"]" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "---\n", "\n", "\n", "# POEM?\n" ] }, { "cell_type": "code", "execution_count": 63, "metadata": { "collapsed": true }, "outputs": [], "source": [ "import random" ] }, { "cell_type": "code", "execution_count": 64, "metadata": { "scrolled": false }, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "Dear 145.255.11.228,\n", "\n", "I saw you for the first time back in Apr 07, it was a Sat\n", "It was 09:33:13\n", "\n", "You were looking for 1232\n", "\n", "\n", "You asked me to remember you forever\n", "\n", "I told you:\n", "\"forever is a long time, come back and I might\"\n", "\n", "\n", "\n", "and you did:\n", "\n", "\n", "\n", "\n", "\n", " and again that same night\n", " and again that same night\n", "again in Sun Apr 08\n", " and again that same night\n", "\n", "I want you to be my admin, my admin\n", "I have 1232 for you, 1qazxsw2\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "I wonder who you are\n", "I wonder where you are\n", "145.255.11.228 will you come back?\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "145.255.11.228 can I call you 228\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "5.104.206.2 keeps comming in your absense.\n", "19 times so far.\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "228 will you come back after visiting all those other servers??\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "228 don't make me come find you\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "228 Please understand, I tried to resist\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n" ] }, { "data": { "application/vnd.jupyter.widget-view+json": { "model_id": "8b62bbe8673d4ffd99d22c97626256f9", "version_major": 2, "version_minor": 0 }, "text/plain": [ "A Jupyter Widget" ] }, "metadata": {}, "output_type": "display_data" } ], "source": [ "r_bot=random.choice(top100)[0]\n", "data=bot_by_ip(r_bot)\n", "date=data[\"date\"][0].strip().split(\" \")\n", "\n", "\n", "print(\"Dear \"+r_bot+\",\\n\")\n", "print(\"I saw you for the first time back in \"+ date[1]+\" \"+date[2]+\", it was a \"+date[0])\n", "print(\"It was \"+date[4])\n", "print(\"\")\n", "print(\"You were looking for \" +data[\"post\"][0][\"pwd\"])\n", "print(\"\")\n", "print(\"\")\n", "print(\"You asked me to remember you \" +data[\"post\"][0][\"rememberme\"])\n", "print(\"\")\n", "print(\"I told you:\")\n", "print(\"\\\"\"+data[\"post\"][0][\"rememberme\"]+\" is a long time, come back and I might\\\"\")\n", "print(\"\")\n", "print(\"\")\n", "print(\"\")\n", "\n", "print(\"and you did:\")\n", "for i in range(0,5):\n", " print(\"\")\n", " \n", "prev_date=date\n", "for i in range (0, len(data[\"date\"])):\n", " date=data[\"date\"][i].strip().split(\" \")\n", " if(date[0]==prev_date[0] and date[1]==prev_date[1] and date[2]==prev_date[2]):\n", " print(\" and again that same night\")\n", " else:\n", " try:\n", " print(\"again in \"+date[0]+\" \"+date[1]+\" \"+date[2])\n", " except:\n", " a=0\n", " prev_date=date\n", " i=i+1\n", "print(\"\")\n", "\n", "\n", "user=[]\n", "pwd=[]\n", "for i in range (0, len(data[\"post\"])):\n", " user.append(data[\"post\"][i][\"log\"])\n", " pwd.append(data[\"post\"][i][\"pwd\"])\n", " \n", "user=\", my \".join(user)\n", "pwd=\" for you, \".join(pwd)\n", "print(\"I want you to be my \"+user )\n", "print(\"I have \"+pwd)\n", "\n", "for i in range(0,10):\n", " print(\"\")\n", "print(\"I wonder who you are\")\n", "print(\"I wonder where you are\")\n", "print(r_bot+\" will you come back?\")\n", "for i in range(0,10):\n", " print(\"\")\n", "cute_name=r_bot.split(\".\")[3]\n", "print(r_bot+\" can I call you \"+cute_name)\n", "for i in range(0,10):\n", " print(\"\")\n", "who_cares=random.choice(top10)\n", "\n", "\n", "print(who_cares[0]+\" keeps comming in your absense.\")\n", "print(str(who_cares[1])+\" times so far.\")\n", "\n", "for i in range(0,10):\n", " print(\"\")\n", " \n", "print(cute_name+\" will you come back after visiting all those other servers??\")\n", "for i in range(0,10):\n", " print(\"\")\n", "\n", "print(cute_name+\" don't make me come find you\")\n", "for i in range(0,30):\n", " print(\"\")\n", "print(cute_name+\" Please understand, I tried to resist\")\n", "for i in range(0,30):\n", " print(\"\")\n", "bot_loc=ipLocator(r_bot)\n", "lon=bot_loc[\"longitude\"]\n", "lat=bot_loc[\"latitude\"]\n", "loc=[(lat,lon)]\n", "fig = gmaps.figure()\n", "markers = gmaps.marker_layer(loc)\n", "fig.add_layer(markers)\n", "fig\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n", "\n" ] }, { "cell_type": "markdown", "metadata": {}, "source": [ "# POEM 2" ] }, { "cell_type": "code", "execution_count": null, "metadata": {}, "outputs": [ { "name": "stdout", "output_type": "stream", "text": [ "('94.76.125.54', 11)\n" ] } ], "source": [ "wp_count=Counter(wp_bots)\n", "top500=wp_count.most_common(150)\n", "bot=random.choice(top500)\n", "unique_wp=list(set(wp_bots))\n", "\n", "print(bot)\n", "\n", "\n", "locations=[]\n", "data=ipLocator(bot[0])\n", "lon=data[\"longitude\"]\n", "lat=data[\"latitude\"]\n", "url=\"https://www.google.com/maps/place/\"+str(lat)+\",\"+str(lon)\n", "loc=(\"(\"+str(lat)+\",\"+str(lon)+\")\")\n", "locations.append(loc)\n", " # webbrowser.open(url,new=1)\n", "# print(url)\n", " # call[\"/usr/bin/open -a \"/Applications/Google Chrome.app\" {url}\n", " # !/usr/bin/open -a \"/Applications/Google Chrome.app\" {url}\n", "top_ten_ip_locations=\"[\"+(\",\".join(locations))+\"]\"\n", "# locat.append(json.loads(\",\".join(locations)))\n", "\n", "\n", "cont=input(\"Welcome back\\nWhat would you like to do tonight?\\n\")\n", "# print(\"you said: \"+str(cont))\n", "# time.sleep(1)\n", "cont=input(\"yes\\n\")\n", "cont=input(\"Are you sure?\\n\")\n", "# time.sleep(1)\n", "# pswd = getpass.getpass('Please confirm you want to do this: ')\n", "# time.sleep(1)\n", "\n", "cont=input(\"It was here \")\n", "# print(bot_by_ip(bot[0])[\"date\"])\n", "bot_data=bot_by_ip(bot[0])\n", "# print(bot_data)\n", "dates=bot_data[\"date\"]\n", "print(dates[len(dates)-2])\n", "\n", "cont=input(\"\")\n", "print(\"yes\")\n", "cont=input(\"\")\n", "print(\"It wanted to get access, it tried:\")\n", "attempt=bot_data[\"post\"]\n", "print(\"User: \"+attempt[len(attempt)-1][\"log\"]+\" Password: \"+attempt[len(attempt)-1][\"pwd\"]+\", it asked you to remember it forever\")\n", "cont=input(\"\")\n", "print(\"What do you want me to say?\")\n", "# print (pswd)\n", "\n", "\n", "r_bot=bot[0]\n", "data=bot_by_ip(r_bot)\n", "date=data[\"date\"][0].strip().split(\" \")\n", "for i in range(0,30):\n", " print()\n", "\n", "print(\"Dear \"+r_bot+\",\\n\")\n", "print(\"I saw you for the first time back in \"+ date[1]+\" \"+date[2]+\", it was a \"+date[0])\n", "print(\"It was \"+date[4])\n", "print(\"\")\n", "print(\"You were looking for \" +data[\"post\"][0][\"pwd\"])\n", "print(\"\")\n", "print(\"\")\n", "print(\"You asked me to remember you \" +data[\"post\"][0][\"rememberme\"])\n", "print(\"\")\n", "print(\"I told you:\")\n", "print(\"\\\"\"+data[\"post\"][0][\"rememberme\"]+\" is a long time, come back and I might\\\"\")\n", "print(\"\")\n", "print(\"\")\n", "print(\"\")\n", "\n", "print(\"and you did:\")\n", "for i in range(0,5):\n", " print(\"\")\n", " \n", "prev_date=date\n", "for i in range (0, len(data[\"date\"])):\n", " date=data[\"date\"][i].strip().split(\" \")\n", " if(date[0]==prev_date[0] and date[1]==prev_date[1] and date[2]==prev_date[2]):\n", " print(\" and again that same night\")\n", " else:\n", " try:\n", " print(\"again in \"+date[0]+\" \"+date[1]+\" \"+date[2])\n", " except:\n", " a=0\n", " prev_date=date\n", " i=i+1\n", "print(\"\")\n", "\n", "\n", "user=[]\n", "pwd=[]\n", "for i in range (0, len(data[\"post\"])):\n", " user.append(data[\"post\"][i][\"log\"])\n", " pwd.append(data[\"post\"][i][\"pwd\"])\n", " \n", "user=\", my \".join(user)\n", "pwd=\" for you, \".join(pwd)\n", "print(\"I want you to be my \"+user )\n", "print(\"I have \"+pwd)\n", "\n", "for i in range(0,10):\n", " print(\"\")\n", "print(\"I wonder who you are\")\n", "print(\"I wonder where you are\")\n", "print(r_bot+\" will you come back?\")\n", "for i in range(0,10):\n", " print(\"\")\n", "cute_name=r_bot.split(\".\")[3]\n", "print(r_bot+\" can I call you \"+cute_name)\n", "for i in range(0,10):\n", " print(\"\")\n", "who_cares=random.choice(top10)\n", "\n", "\n", "print(who_cares[0]+\" keeps comming in your absense.\")\n", "print(str(who_cares[1])+\" times so far.\")\n", "\n", "for i in range(0,10):\n", " print(\"\")\n", " \n", "print(cute_name+\" what are you looking for?\")\n", "print(cute_name+\" who are you looking for?\")\n", "\n", "for i in range(0,10):\n", " print(\"\")\n", "print(cute_name+\" will you come back?\")\n", "for i in range(0,10):\n", " print(\"\")\n", "print(cute_name+\" will you please come back?\")\n", "for i in range(0,10):\n", " print(\"\")\n", "\n", "\n", "print(cute_name+\" don't make me come find you\")\n", "for i in range(0,30):\n", " print(\"\")\n", "print(cute_name+\" Please understand, I tried to resist\")\n", "for i in range(0,30):\n", " print(\"\")\n", "bot_loc=ipLocator(r_bot)\n", "lon=bot_loc[\"longitude\"]\n", "lat=bot_loc[\"latitude\"]\n", "loc=[(lat,lon)]\n", "\n", "print(cute_name+\", I'll be here waiting\")\n", "\n", "#uncomment to open on a new browser window\n", "# webbrowser.open(url,new=1)\n", "\n" ] }, { "cell_type": "code", "execution_count": null, "metadata": { "collapsed": true }, "outputs": [], "source": [] } ], "metadata": { "kernelspec": { "display_name": "Python 3", "language": "python", "name": "python3" }, "language_info": { "codemirror_mode": { "name": "ipython", "version": 3 }, "file_extension": ".py", "mimetype": "text/x-python", "name": "python", "nbconvert_exporter": "python", "pygments_lexer": "ipython3", "version": "3.6.3" } }, "nbformat": 4, "nbformat_minor": 2 }