#!/usr/bin/env python # coding: utf-8 # ### Breaking the file by lines # In[1]: botsText= open('message.txt',encoding='utf-8').read().split("\n") # In[2]: len(botsText) # In[3]: botsText[41854] # ### Lets try some regex # In[4]: import re import json from random import randint # ### Spliting bots into a big list # OK OK it is possible to make a list of dictionaries # In[6]: bots=[] ip_regex=re.compile(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') wp_regex=re.compile(r'(?<=POST) {.*}') path_regex=re.compile(r'(?<=Path:) .*') time_regex=re.compile(r"((?<=Bot: false\ ) .*(?=GMT))|((?<=Bot: true\ ) .*(?=GMT))") for bot in range(0,len(botsText)): b=botsText[bot] #this bot ip=ip_regex.search(b).group(0) path=path_regex.findall(b)[0] wp_p=wp_regex.findall(b) time=time_regex.findall(b)[0][0] agent_regex=re.compile(r"(?<="+ip+r').*(?=Path)') agent=" ".join(agent_regex.search(b).group(0).split()) bots.append({"ip":ip,"date":time,"path":path,"post":"","agent":agent}) #if post: if(len(wp_p)>0): try: p=json.loads(wp_p[0]) except: p=wp_p[0] # print(p) bots[bot]["post"]=(p) agent_regex=re.compile(r"(?<="+ip+r').*(?=POST)') agent=" ".join(agent_regex.search(b).group(0).split()) bots[bot]["agent"]=agent # In[7]: bots[15046] # ### Ok, so things seem to be inside of a big list of dictionaries, lets find out something useful # In[8]: from collections import Counter # In[10]: ips=[] agents=[] passwords=[] for bot in bots: ips.append(bot["ip"]) agents.append(bot["agent"]) if(bot["post"]!=""): try: passwords.append(bot["post"]["pwd"]) except: x=1 #do nothing # print(bot["post"]) # ## Lets see which IP visited the most # In[13]: ip_count=Counter(ips) ip_count.most_common(10) top5000=ip_count.most_common(5000) print("Most common ip is: "+ str(ip_count.most_common(1))) # ### What about the User Agents # In[15]: agent_count=Counter(agents) agent_count.most_common(100) # ### What about the most common passwords? # In[16]: pass_count=Counter(passwords) pass_count.most_common(25) # ___ # # ### Lets look at the wordpress attacks # In[25]: wp_bots=[] for bot in bots: try: if(bot["post"]["rememberme"]=="forever"): # wp_bots.append("ip: "+bot["ip"]+" agent: "+bot["agent"]) wp_bots.append(bot["ip"]) except: ignore=bot len(wp_bots) # In[27]: wp_count=Counter(wp_bots) wp_count.most_common(20) # ### Let's see how many unique ips # In[28]: unique_wp=list(set(wp_bots)) print("WP attacks: "+str(len(wp_bots))) print("WP Unique IPs: "+str(len(unique_wp))) # ## This is really inreresting because out of the 5010 hacking attempts, they all came from 2110 differnt ip address. But the attacks are identicall and follow a particular order. Meaning that the attacker has access to over 2000 machines or some sort of vpn/tor to hide his real origin. # In[29]: import pygeoip # ### IP locator, this is a library to find where the geo location of an ip might be. Not sure how accurate # In[30]: def ipLocator(ip): GeoIPDatabase = 'GeoLiteCity.dat' ipData = pygeoip.GeoIP(GeoIPDatabase) record = ipData.record_by_name(ip) # print("The geolocation for IP Address %s is:" % ip) # print("Accurate Location: %s, %s, %s" % (record['city'], record['region_code'], record['country_name'])) # print("General Location: %s" % (record['metro_code'])) data=ipData.record_by_addr(ip) # print(data) return(data) # In[32]: top10=wp_count.most_common(10) top10[0] # ### Lets see where the top attacker comes form # In[35]: ipLocator(top10[0][0]) # In[36]: locations=[] for ip in top10: data=ipLocator(ip[0]) lon=data["longitude"] lat=data["latitude"] url="https://www.google.com/maps/place/"+str(lat)+","+str(lon) loc=("("+str(lat)+","+str(lon)+")") locations.append(loc) # print(url) # !/usr/bin/open -a "/Applications/Google Chrome.app" {url} top_ten_ip_locations="["+(",".join(locations))+"]" # locat.append(json.loads(",".join(locations))) # In[38]: key="Get your own key" # In[39]: from ast import literal_eval top_ten_ip_locations=literal_eval(top_ten_ip_locations) type(top_ten_ip_locations) # In[40]: import gmaps import gmaps.datasets import gmaps.geojson_geometries gmaps.configure(api_key=key) marker_locations = top_ten_ip_locations fig = gmaps.figure() markers = gmaps.marker_layer(marker_locations) fig.add_layer(markers) fig # ### top 100 # In[41]: top100=wp_count.most_common(100) locations=[] for ip in top100: data=ipLocator(ip[0]) lon=data["longitude"] lat=data["latitude"] # url="https://www.google.com/maps/place/"+str(lat)+","+str(lon) loc=("("+str(lat)+","+str(lon)+")") locations.append(loc) # !/usr/bin/open -a "/Applications/Google Chrome.app" {url} top_100_ip_locations="["+(",".join(locations))+"]" top_100_ip_locations=literal_eval(top_100_ip_locations) marker_locations = top_100_ip_locations fig = gmaps.figure() markers = gmaps.marker_layer(marker_locations) fig.add_layer(markers) fig # ### The previous maps are useful but it would be cooler to show this as a heatmap # In[42]: top100=wp_count.most_common(700) locations=[] visits=[] for ip in top100: data=ipLocator(ip[0]) try: lon=data["longitude"] lat=data["latitude"] # url="https://www.google.com/maps/place/"+str(lat)+","+str(lon) loc=("("+str(lat)+","+str(lon)+")") locations.append(loc) visits.append(ip[1]) except: do="nothing" # !/usr/bin/open -a "/Applications/Google Chrome.app" {url} top_100_ip_locations="["+(",".join(locations))+"]" top_100_ip_locations=literal_eval(top_100_ip_locations) marker_locations = top_100_ip_locations fig = gmaps.figure(map_type='SATELLITE',layout={'width': '960px', 'height': '560px'},center=(20,0),zoom_level=2) fig.add_layer(gmaps.heatmap_layer(marker_locations,weights=visits,max_intensity=25,point_radius=10.0)) fig # ## Grouping by IPs # # Bots coming with the same IP should be treated as one. # In[45]: def checkIP(ip): for bot in range(0,len(unique_bots)): if unique_bots[bot]["ip"]== ip: return bot return False # In[47]: unique_bots=[] ip_regex=re.compile(r'\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}') wp_regex=re.compile(r'(?<=POST) {.*}') path_regex=re.compile(r'(?<=Path:) .*') time_regex=re.compile(r"((?<=Bot: false\ ) .*(?=GMT))|((?<=Bot: true) .*(?=GMT))") for bot in range(0,len(botsText)): b=botsText[bot] #this bot ip=ip_regex.search(b).group(0) path=path_regex.findall(b)[0] wp_p=wp_regex.findall(b) time=time_regex.findall(b)[0][0] agent_regex=re.compile(r"(?<="+ip+r').*(?=POST)|(?<='+ip+r').*(?=Path)') agent=" ".join(agent_regex.search(b).group(0).split()) botMatchIndex=checkIP(ip) if botMatchIndex is False: unique_bots.append({"ip":ip,"date":[time],"path":[path],"post":[],"agent":[agent]}) #if post: if(len(wp_p)>0): try: p=json.loads(wp_p[0]) except: p=wp_p[0] # print(p) #Since we are just appending to uniqeBots, this bot has to be the last one we added, len(unique_bots)-1 unique_bots[len(unique_bots)-1]["post"].append(p) else: unique_bots[botMatchIndex]["agent"].append(agent) unique_bots[botMatchIndex]["date"].append(time) unique_bots[botMatchIndex]["path"].append(path) if(len(wp_p)>0): try: p=json.loads(wp_p[0]) except: p=wp_p[0] # print(p) #Since we are just appending to uniqeBots, this bot has to be the last one we added, len(unique_bots)-1 unique_bots[botMatchIndex]["post"].append(p) # In[48]: print(len(unique_bots)) print(len(bots)) # ### Testing a bot to see what it looks like # In[50]: unique_bots[123] # In[51]: def bot_by_ip(ip): for bot in unique_bots: if(bot["ip"]==ip): return bot return ("ip not found") # In[52]: top10 # ### Lets take a look by individual bot # In[53]: pwd=[] user=[] p=bot_by_ip(top10[0][0])["post"] for attempt in p: pwd.append(attempt["pwd"]) user.append(attempt["log"]) # ### passwords tried by top 1 bot: # In[54]: pwd # In[55]: user # In[56]: bot_by_ip(top100[0][0])["date"] # --- # # # # POEM? # # In[63]: import random # In[64]: r_bot=random.choice(top100)[0] data=bot_by_ip(r_bot) date=data["date"][0].strip().split(" ") print("Dear "+r_bot+",\n") print("I saw you for the first time back in "+ date[1]+" "+date[2]+", it was a "+date[0]) print("It was "+date[4]) print("") print("You were looking for " +data["post"][0]["pwd"]) print("") print("") print("You asked me to remember you " +data["post"][0]["rememberme"]) print("") print("I told you:") print("\""+data["post"][0]["rememberme"]+" is a long time, come back and I might\"") print("") print("") print("") print("and you did:") for i in range(0,5): print("") prev_date=date for i in range (0, len(data["date"])): date=data["date"][i].strip().split(" ") if(date[0]==prev_date[0] and date[1]==prev_date[1] and date[2]==prev_date[2]): print(" and again that same night") else: try: print("again in "+date[0]+" "+date[1]+" "+date[2]) except: a=0 prev_date=date i=i+1 print("") user=[] pwd=[] for i in range (0, len(data["post"])): user.append(data["post"][i]["log"]) pwd.append(data["post"][i]["pwd"]) user=", my ".join(user) pwd=" for you, ".join(pwd) print("I want you to be my "+user ) print("I have "+pwd) for i in range(0,10): print("") print("I wonder who you are") print("I wonder where you are") print(r_bot+" will you come back?") for i in range(0,10): print("") cute_name=r_bot.split(".")[3] print(r_bot+" can I call you "+cute_name) for i in range(0,10): print("") who_cares=random.choice(top10) print(who_cares[0]+" keeps comming in your absense.") print(str(who_cares[1])+" times so far.") for i in range(0,10): print("") print(cute_name+" will you come back after visiting all those other servers??") for i in range(0,10): print("") print(cute_name+" don't make me come find you") for i in range(0,30): print("") print(cute_name+" Please understand, I tried to resist") for i in range(0,30): print("") bot_loc=ipLocator(r_bot) lon=bot_loc["longitude"] lat=bot_loc["latitude"] loc=[(lat,lon)] fig = gmaps.figure() markers = gmaps.marker_layer(loc) fig.add_layer(markers) fig # # POEM 2 # In[ ]: wp_count=Counter(wp_bots) top500=wp_count.most_common(150) bot=random.choice(top500) unique_wp=list(set(wp_bots)) print(bot) locations=[] data=ipLocator(bot[0]) lon=data["longitude"] lat=data["latitude"] url="https://www.google.com/maps/place/"+str(lat)+","+str(lon) loc=("("+str(lat)+","+str(lon)+")") locations.append(loc) # webbrowser.open(url,new=1) # print(url) # call["/usr/bin/open -a "/Applications/Google Chrome.app" {url} # !/usr/bin/open -a "/Applications/Google Chrome.app" {url} top_ten_ip_locations="["+(",".join(locations))+"]" # locat.append(json.loads(",".join(locations))) cont=input("Welcome back\nWhat would you like to do tonight?\n") # print("you said: "+str(cont)) # time.sleep(1) cont=input("yes\n") cont=input("Are you sure?\n") # time.sleep(1) # pswd = getpass.getpass('Please confirm you want to do this: ') # time.sleep(1) cont=input("It was here ") # print(bot_by_ip(bot[0])["date"]) bot_data=bot_by_ip(bot[0]) # print(bot_data) dates=bot_data["date"] print(dates[len(dates)-2]) cont=input("") print("yes") cont=input("") print("It wanted to get access, it tried:") attempt=bot_data["post"] print("User: "+attempt[len(attempt)-1]["log"]+" Password: "+attempt[len(attempt)-1]["pwd"]+", it asked you to remember it forever") cont=input("") print("What do you want me to say?") # print (pswd) r_bot=bot[0] data=bot_by_ip(r_bot) date=data["date"][0].strip().split(" ") for i in range(0,30): print() print("Dear "+r_bot+",\n") print("I saw you for the first time back in "+ date[1]+" "+date[2]+", it was a "+date[0]) print("It was "+date[4]) print("") print("You were looking for " +data["post"][0]["pwd"]) print("") print("") print("You asked me to remember you " +data["post"][0]["rememberme"]) print("") print("I told you:") print("\""+data["post"][0]["rememberme"]+" is a long time, come back and I might\"") print("") print("") print("") print("and you did:") for i in range(0,5): print("") prev_date=date for i in range (0, len(data["date"])): date=data["date"][i].strip().split(" ") if(date[0]==prev_date[0] and date[1]==prev_date[1] and date[2]==prev_date[2]): print(" and again that same night") else: try: print("again in "+date[0]+" "+date[1]+" "+date[2]) except: a=0 prev_date=date i=i+1 print("") user=[] pwd=[] for i in range (0, len(data["post"])): user.append(data["post"][i]["log"]) pwd.append(data["post"][i]["pwd"]) user=", my ".join(user) pwd=" for you, ".join(pwd) print("I want you to be my "+user ) print("I have "+pwd) for i in range(0,10): print("") print("I wonder who you are") print("I wonder where you are") print(r_bot+" will you come back?") for i in range(0,10): print("") cute_name=r_bot.split(".")[3] print(r_bot+" can I call you "+cute_name) for i in range(0,10): print("") who_cares=random.choice(top10) print(who_cares[0]+" keeps comming in your absense.") print(str(who_cares[1])+" times so far.") for i in range(0,10): print("") print(cute_name+" what are you looking for?") print(cute_name+" who are you looking for?") for i in range(0,10): print("") print(cute_name+" will you come back?") for i in range(0,10): print("") print(cute_name+" will you please come back?") for i in range(0,10): print("") print(cute_name+" don't make me come find you") for i in range(0,30): print("") print(cute_name+" Please understand, I tried to resist") for i in range(0,30): print("") bot_loc=ipLocator(r_bot) lon=bot_loc["longitude"] lat=bot_loc["latitude"] loc=[(lat,lon)] print(cute_name+", I'll be here waiting") #uncomment to open on a new browser window # webbrowser.open(url,new=1) # In[ ]: