Analysis of http://honeynet.org/files/sanitized_log.zip using IPython Notebook on Spark

In [284]:
sc
Out[284]:
<pyspark.context.SparkContext at 0x105161d10>

Loading file into Spark Context

In [285]:
target_file = "./logs/auth.log"
logs = sc.textFile(target_file)

How many lines are in the dataset?

In [286]:
logs.count()
Out[286]:
102164

What do they look like?

In [287]:
logs.take(5)
Out[287]:
[u'Mar 16 08:12:04 app-1 login[4659]: pam_unix(login:session): session opened for user user3 by LOGIN(uid=0)',
 u'Mar 16 08:12:09 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 08:12:09 app-1 su[4679]: Successful su for root by root']

How many sucessful logins to the Unix box?

In [288]:
successful_user_login = logs.filter(lambda x: "Accepted password" in x)
successful_user_login.count()
Out[288]:
118
In [289]:
a = successful_user_login.collect()
In [290]:
a[0:10]
Out[290]:
[u'Mar 16 08:26:06 app-1 sshd[4894]: Accepted password for user3 from 192.168.126.1 port 61474 ssh2',
 u'Mar 16 10:14:02 app-1 sshd[5142]: Accepted password for user3 from 192.168.126.1 port 62897 ssh2',
 u'Mar 16 17:12:24 app-1 sshd[5513]: Accepted password for user3 from 192.168.126.1 port 63555 ssh2',
 u'Mar 18 09:42:22 app-1 sshd[4693]: Accepted password for user3 from 10.0.1.2 port 64721 ssh2',
 u'Mar 18 10:00:10 app-1 sshd[4764]: Accepted password for user1 from 76.191.195.140 port 35226 ssh2',
 u'Mar 18 10:00:30 app-1 sshd[4786]: Accepted password for user3 from 10.0.1.2 port 64950 ssh2',
 u'Mar 18 11:39:50 app-1 sshd[10158]: Accepted password for user2 from 71.132.129.212 port 34333 ssh2',
 u'Mar 18 11:40:56 app-1 sshd[10200]: Accepted password for user2 from 71.132.129.212 port 40961 ssh2',
 u'Mar 18 11:41:43 app-1 sshd[10224]: Accepted password for user2 from 71.132.129.212 port 41661 ssh2',
 u'Mar 18 11:48:16 app-1 sshd[10253]: Accepted password for user1 from 76.191.195.140 port 43613 ssh2']
In [291]:
sucessful_logins_user_list = [line.split("Accepted password for ")[1].split(" from")[0] for line in a]
sucessful_logins_ip_address_list = [line.split(" from ")[1].split(" port")[0] for line in a]

What users successfully login? I not sure root needs to remote into this box...

In [292]:
from collections import defaultdict
overview_collection = defaultdict(list)
In [293]:
from collections import Counter
users = Counter(sucessful_logins_user_list)
counts = users
index = []
data = []

for k,v in counts.iteritems():
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
figure(num=None, figsize=(8, 7), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh")
Out[293]:
<matplotlib.axes.AxesSubplot at 0x106e39710>

What ip addressess had the highest counts for the successful logins?

In [294]:
ip_addresess = Counter(sucessful_logins_ip_address_list)
counts = ip_addresess
index = []
data = []

for k,v in zip(index, data):
    overview_collection[k].append(("sucessful_logins_ip_address_list",v))
    
    
for k,v in counts.iteritems():
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
figure(num=None, figsize=(9, 9), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh")
Out[294]:
<matplotlib.axes.AxesSubplot at 0x10fe27210>
In [295]:
for k,v in zip(index, data):
    if k in overview_collection:
        pass
    else:
        overview_collection[k].append(("sucessful_logins_ip_address_list",v))

overview_collection['190.167.74.184']
Out[295]:
[('sucessful_logins_ip_address_list', 3)]

How many failed su to root?

In [296]:
failed_su  = logs.filter(lambda x: "FAILED su" in x)
b = failed_su.collect()
b
Out[296]:
[u'Mar 18 11:20:19 app-1 su[9504]: FAILED su for root by user1',
 u'Mar 18 11:20:26 app-1 su[9506]: FAILED su for root by user1',
 u'Mar 18 17:01:17 app-1 su[14542]: FAILED su for root by user3']

Looks like user1 and user3 may be up to no good. How many failed do each of them have?

In [297]:
user1_activity = logs.filter(lambda x: "user1" in x)
user3_activity = logs.filter(lambda x: "user3" in x)
In [298]:
u1a = user1_activity.collect()
u1a[0:10]
Out[298]:
[u'Mar 16 08:12:38 app-1 groupadd[4702]: new group: name=user1, GID=1001',
 u'Mar 16 08:12:38 app-1 useradd[4703]: new user: name=user1, UID=1001, GID=1001, home=/home/user1, shell=/bin/bash',
 u'Mar 16 08:12:44 app-1 passwd[4706]: pam_unix(passwd:chauthtok): password changed for user1',
 u"Mar 16 08:12:46 app-1 chfn[4707]: changed user `user1' information",
 u"Mar 16 08:12:49 app-1 chfn[4708]: changed user `user1' information",
 u'Mar 18 10:00:06 app-1 passwd[4763]: pam_unix(passwd:chauthtok): password changed for user1',
 u'Mar 18 10:00:10 app-1 sshd[4764]: Accepted password for user1 from 76.191.195.140 port 35226 ssh2',
 u'Mar 18 10:00:10 app-1 sshd[4766]: pam_unix(sshd:session): session opened for user user1 by (uid=0)',
 u'Mar 18 10:01:03 app-1 sudo:   user1 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/su -',
 u'Mar 18 10:02:09 app-1 sudo:   user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/su -']
In [299]:
user3_activity.count()
Out[299]:
237
In [300]:
"pam_unix(sudo:session): session opened for user " 
Out[300]:
'pam_unix(sudo:session): session opened for user '
In [301]:
"pam_unix(sudo:session): session closed for user "
Out[301]:
'pam_unix(sudo:session): session closed for user '
In [302]:
command_activity = logs.filter(lambda x: "COMMAND=" in x)
ca = command_activity.collect()
ca[0:10]
Out[302]:
[u'Mar 16 08:12:09 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 08:27:37 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 10:14:10 app-1 sudo:     user3 : TTY=pts/1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 17:12:41 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/opt/software ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 17:13:52 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/opt/software ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:43:06 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:49:52 app-1 sudo:     user3 : TTY=tty1 ; PWD=/opt/software ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:51:23 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:56:22 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 10:00:36 app-1 sudo:     user3 : TTY=pts/1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su']
In [303]:
c[0:10]
Out[303]:
[u'Mar 16 08:12:09 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 08:27:37 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 08:27:37 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:27:37 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 10:14:08 app-1 sudo:     user3 : unable to resolve host dev-.domain.org',
 u'Mar 16 10:14:10 app-1 sudo:     user3 : TTY=pts/1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 10:14:10 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 10:14:10 app-1 sudo: pam_unix(sudo:session): session closed for user root']
In [304]:
accepted_publickey  = logs.filter(lambda x: "Accepted publickey" in x)
accepted_publickey.count()
Out[304]:
0
In [304]:
 
In [304]:
 
In [305]:
session_opened  = logs.filter(lambda x: "session opened" in x)
session_opened.count()
Out[305]:
15451
In [306]:
d = session_opened.collect()
In [307]:
d[0:10]
Out[307]:
[u'Mar 16 08:12:04 app-1 login[4659]: pam_unix(login:session): session opened for user user3 by LOGIN(uid=0)',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:12:09 app-1 su[4679]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:17:01 app-1 CRON[4716]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 08:26:06 app-1 sshd[4896]: pam_unix(sshd:session): session opened for user user3 by (uid=0)',
 u'Mar 16 08:27:37 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:27:37 app-1 su[4913]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 09:17:01 app-1 CRON[5085]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 10:14:02 app-1 sshd[5144]: pam_unix(sshd:session): session opened for user user3 by (uid=0)',
 u'Mar 16 10:14:10 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)']
In [308]:
failed_user_login = logs.filter(lambda x: "authentication failure" in x)
failed_user_login.count()
Out[308]:
20353
In [309]:
e = failed_user_login.collect()
In [310]:
e[0:10]
Out[310]:
[u'Mar 18 09:41:54 app-1 login[4673]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= ',
 u'Mar 18 11:20:17 app-1 su[9504]: pam_unix(su:auth): authentication failure; logname=user1 uid=1001 euid=0 tty=pts/0 ruser=user1 rhost=  user=root',
 u'Mar 18 11:20:24 app-1 su[9506]: pam_unix(su:auth): authentication failure; logname=user1 uid=1001 euid=0 tty=pts/0 ruser=user1 rhost=  user=root',
 u'Mar 18 11:38:04 app-1 sshd[10156]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-71-132-129-212.dsl.pltn13.pacbell.net  user=user2',
 u'Mar 18 11:38:43 app-1 sshd[10156]: PAM 2 more authentication failures; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-71-132-129-212.dsl.pltn13.pacbell.net  user=user2',
 u'Mar 18 11:38:57 app-1 sshd[10158]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-71-132-129-212.dsl.pltn13.pacbell.net  user=user2',
 u'Mar 18 17:01:15 app-1 su[14542]: pam_unix(su:auth): authentication failure; logname=user3 uid=1000 euid=0 tty=pts/1 ruser=user3 rhost=  user=root',
 u'Mar 18 18:25:13 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=user1',
 u'Mar 24 05:54:04 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/1 ruser= rhost=  user=user1',
 u'Mar 29 13:20:06 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1']
In [311]:
failed_sudo_auth_user_login = logs.filter(lambda x: "pam_unix(sudo:auth): authentication failure;" in x)
failed_sudo_auth_user_login.collect()
Out[311]:
[u'Mar 18 18:25:13 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/3 ruser= rhost=  user=user1',
 u'Mar 24 05:54:04 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/1 ruser= rhost=  user=user1',
 u'Mar 29 13:20:06 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Mar 29 14:21:32 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Mar 29 15:46:01 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Mar 29 23:46:16 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Apr 14 15:36:56 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Apr 14 16:34:04 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Apr 15 15:34:24 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/1 ruser= rhost=  user=user1',
 u'Apr 15 19:53:21 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1',
 u'Apr 15 20:23:24 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/1 ruser= rhost=  user=user1',
 u'Apr 15 20:36:19 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=user1',
 u'Apr 19 10:47:51 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=user1',
 u'Apr 19 12:28:44 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=user1',
 u'Apr 19 13:16:19 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/2 ruser= rhost=  user=user1',
 u'Apr 22 12:34:47 app-1 sudo: pam_unix(sudo:auth): authentication failure; logname=user1 uid=0 euid=0 tty=/dev/pts/0 ruser= rhost=  user=user1']
In [312]:
failed_sshd_auth_user_login = logs.filter(lambda x: "pam_unix(sshd:auth): authentication failure;" in x)
ee = failed_sshd_auth_user_login.collect()
ee[0:10]
Out[312]:
[u'Mar 18 11:38:04 app-1 sshd[10156]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-71-132-129-212.dsl.pltn13.pacbell.net  user=user2',
 u'Mar 18 11:38:57 app-1 sshd[10158]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=adsl-71-132-129-212.dsl.pltn13.pacbell.net  user=user2',
 u'Apr 15 14:47:51 app-1 sshd[10174]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=208.80.69.74  user=user1',
 u'Apr 18 18:22:07 app-1 sshd[5266]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root',
 u'Apr 18 18:22:11 app-1 sshd[5268]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root',
 u'Apr 18 18:22:15 app-1 sshd[5270]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root',
 u'Apr 18 18:22:18 app-1 sshd[5272]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root',
 u'Apr 18 18:22:22 app-1 sshd[5274]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root',
 u'Apr 18 18:22:26 app-1 sshd[5276]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root',
 u'Apr 18 18:22:29 app-1 sshd[5278]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=61.151.246.140  user=root']
In [313]:
root_failed = []
for line in ee:
    if "root" in line:
        root_failed.append(line)
        
ip_failed = [line.split("host=")[1].split()[0] for line in root_failed]
counts = Counter(ip_failed)
index = []
data = []
for k,v in counts.iteritems():
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
figure(num=None, figsize=(9, 9), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh", color=colors)
Out[313]:
<matplotlib.axes.AxesSubplot at 0x106d95510>
In [314]:
colors = []
for value in data:
    if value > 200:
        colors.append('r')
    else:
        colors.append('b')

# bar(ind,num,width,color=colors)
In [430]:
for k,v in zip(index, data):
    if k in suspicious_ip:
        values = overview_collection[k]
        if "failed_logins_ip_address_list" in values:
            pass
        elif "failed_logins_ip_address_list" not in values:
            overview_collection[k].append(("failed_logins_ip_address_list",v))

suspicious_ip['219.150.161.20']
#overview_collection['219.150.161.20']
Out[430]:
[('sucessful_logins_ip_address_list', 4),
 ('failed_logins_ip_address_list', 1560),
 ('failed_logins_invalid_user_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574),
 ('failed_logins_ip_address_list', 7574)]

Superbad looks like he's attacking the server

In [316]:
superbad = logs.filter(lambda x: '219.150.161.20' in x)
superbad_local = superbad.collect()
superbad_local[0:10]
Out[316]:
[u'Apr 19 05:32:50 app-1 sshd[7558]: Did not receive identification string from 219.150.161.20',
 u'Apr 19 05:37:58 app-1 sshd[7702]: Invalid user globus from 219.150.161.20',
 u'Apr 19 05:37:58 app-1 sshd[7702]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.150.161.20 ',
 u'Apr 19 05:38:01 app-1 sshd[7702]: Failed password for invalid user globus from 219.150.161.20 port 42337 ssh2',
 u'Apr 19 05:38:02 app-1 sshd[7706]: Invalid user marine from 219.150.161.20',
 u'Apr 19 05:38:02 app-1 sshd[7706]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.150.161.20 ',
 u'Apr 19 05:38:03 app-1 sshd[7708]: Invalid user condor from 219.150.161.20',
 u'Apr 19 05:38:03 app-1 sshd[7708]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=219.150.161.20 ',
 u'Apr 19 05:38:04 app-1 sshd[7706]: Failed password for invalid user marine from 219.150.161.20 port 44339 ssh2',
 u'Apr 19 05:38:05 app-1 sshd[7708]: Failed password for invalid user condor from 219.150.161.20 port 44816 ssh2']
In [317]:
superbad2 = logs.filter(lambda x: '58.17.30.49' in x)
superbad_local2 = superbad2.collect()
superbad_local2[0:10]
Out[317]:
[u'Apr 19 05:18:35 app-1 sshd[7155]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.17.30.49  user=root',
 u'Apr 19 05:18:38 app-1 sshd[7155]: Failed password for root from 58.17.30.49 port 39778 ssh2',
 u'Apr 19 05:18:40 app-1 sshd[7157]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.17.30.49  user=root',
 u'Apr 19 05:18:43 app-1 sshd[7157]: Failed password for root from 58.17.30.49 port 40036 ssh2',
 u'Apr 19 05:18:45 app-1 sshd[7159]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.17.30.49  user=root',
 u'Apr 19 05:18:47 app-1 sshd[7159]: Failed password for root from 58.17.30.49 port 40286 ssh2',
 u'Apr 19 05:18:49 app-1 sshd[7161]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.17.30.49  user=root',
 u'Apr 19 05:18:52 app-1 sshd[7161]: Failed password for root from 58.17.30.49 port 40534 ssh2',
 u'Apr 19 05:18:54 app-1 sshd[7163]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=58.17.30.49  user=root',
 u'Apr 19 05:18:56 app-1 sshd[7163]: Failed password for root from 58.17.30.49 port 40777 ssh2']

How many login attempt are Invalid user?

In [318]:
invalid_user = logs.filter(lambda x: "Invalid user " in x)
invalids = invalid_user.collect()
invalids[0:20]
Out[318]:
[u'Apr 19 04:36:49 app-1 sshd[6990]: Invalid user tomcat from 203.81.226.86',
 u'Apr 19 05:19:08 app-1 sshd[7169]: Invalid user admin from 58.17.30.49',
 u'Apr 19 05:22:10 app-1 sshd[7259]: Invalid user tina from 58.17.30.49',
 u'Apr 19 05:22:14 app-1 sshd[7261]: Invalid user tom from 58.17.30.49',
 u'Apr 19 05:22:19 app-1 sshd[7263]: Invalid user tom from 58.17.30.49',
 u'Apr 19 05:22:23 app-1 sshd[7265]: Invalid user toor from 58.17.30.49',
 u'Apr 19 05:22:28 app-1 sshd[7267]: Invalid user tour from 58.17.30.49',
 u'Apr 19 05:22:32 app-1 sshd[7269]: Invalid user tour from 58.17.30.49',
 u'Apr 19 05:22:36 app-1 sshd[7271]: Invalid user tracy from 58.17.30.49',
 u'Apr 19 05:22:41 app-1 sshd[7273]: Invalid user tracy from 58.17.30.49',
 u'Apr 19 05:22:45 app-1 sshd[7275]: Invalid user user from 58.17.30.49',
 u'Apr 19 05:22:50 app-1 sshd[7277]: Invalid user www from 58.17.30.49',
 u'Apr 19 05:22:55 app-1 sshd[7279]: Invalid user www from 58.17.30.49',
 u'Apr 19 05:23:00 app-1 sshd[7281]: Invalid user admins from 58.17.30.49',
 u'Apr 19 05:37:58 app-1 sshd[7702]: Invalid user globus from 219.150.161.20',
 u'Apr 19 05:38:02 app-1 sshd[7706]: Invalid user marine from 219.150.161.20',
 u'Apr 19 05:38:03 app-1 sshd[7708]: Invalid user condor from 219.150.161.20',
 u'Apr 19 05:38:05 app-1 sshd[7710]: Invalid user marine from 219.150.161.20',
 u'Apr 19 05:38:06 app-1 sshd[7712]: Invalid user cadi from 219.150.161.20',
 u'Apr 19 05:38:07 app-1 sshd[7716]: Invalid user tomcat from 219.150.161.20']
In [319]:
names = []
addys = []
for line in invalids:
    username = line.split("Invalid user ")[1].split(" from ")[0]
    IPaddress = line.split("Invalid user ")[1].split(" from ")[1]
    names.append(username)
    addys.append(IPaddress)
In [320]:
Counter(names)
Out[320]:
Counter({u'admin': 447, u'test': 282, u'administrator': 155, u'123456': 154, u'12345': 137, u'123': 133, u'user': 132, u'qwerty': 124, u'oracle': 124, u'1234': 117, u'zxcvb': 113, u'users': 105, u'abc': 95, u'abcde': 94, u'tester': 92, u'abcd': 90, u'a': 86, u'guest': 86, u'nagios': 79, u'alex': 57, u'testing': 56, u'student': 56, u'ftp': 54, u'postgres': 53, u'sarah': 44, u'cyrus': 44, u'test123': 44, u'toor': 43, u'temp': 41, u'info': 40, u'plokm': 39, u'linux': 38, u'postfix': 37, u'emma': 34, u'abigail': 34, u'webmaster': 33, u'renee': 32, u'madison': 32, u'hailey': 32, u'emily': 32, u'isabella': 32, u'kaitlyn': 32, u'olivia': 32, u'adm': 32, u'named': 31, u'demo': 31, u'web': 31, u'cruz': 31, u'madeline': 30, u'students': 30, u'sabine': 30, u'philippine': 30, u'pauline': 30, u'apache': 28, u'server': 28, u'victor': 28, u'user1': 27, u'kaylee': 27, u'tomcat': 26, u'cecilia': 25, u'clara': 25, u'catherine': 25, u'edith': 24, u'victoria': 24, u'caroline': 24, u'charlotte': 24, u'denise': 24, u'marine': 23, u'diane': 23, u'eleanor': 23, u'dorothy': 23, u'test1': 23, u'tmp': 23, u'ftpuser': 22, u'www': 22, u'chantal': 22, u'colette': 22, u'christine': 22, u'mp3': 22, u'vic': 22, u'cecile': 22, u'melody': 22, u'constance': 22, u'emilie': 22, u'camille': 22, u'claire': 22, u'claudine': 22, u'dawn': 21, u'super': 21, u'corinne': 21, u'spam': 21, u'elise': 21, u'viktor': 21, u'dominique': 21, u'sales': 21, u'mythtv': 21, u'aurora': 20, u'aurore': 20, u'clemence': 20, u'christelle': 20, u'navy': 20, u'colet': 20, u'testmail': 20, u'aurelie': 20, u'eleonore': 20, u'ann': 20, u'antoinette': 20, u'dorotheee': 20, u'capucine': 20, u'temporary': 20, u'astrid': 20, u'elodie': 20, u'amaude': 20, u'brigitte': 20, u'bernadette': 20, u'christiane': 20, u'anouk': 20, u'webadmin': 18, u'david': 18, u'test2': 18, u'fernando': 18, u'al': 17, u'paul': 17, u'wesley': 17, u'service': 16, u'john': 16, u'teste': 16, u'dan': 16, u'audit': 16, u'setup': 15, u'alan': 15, u'prueba': 15, u'am': 15, u'wwwrun': 15, u'username': 15, u'cvs': 15, u'richard': 14, u'clamav': 14, u'angel': 14, u'bb': 14, u'webadm': 14, u'ftpusr': 14, u'sybase': 13, u'ba': 13, u'br': 13, u'httpd': 13, u'mike': 13, u'redhat': 13, u'george': 13, u'postmaster': 13, u'ad': 13, u'ar': 13, u'master': 13, u'pgsql': 13, u'shell': 13, u'ftp123': 13, u'upload': 12, u'bo': 12, u'danny': 12, u'office': 12, u'nanouser': 12, u'bd': 12, u'bf': 12, u'bn': 12, u'bj': 12, u'testtest': 12, u'data': 12, u'smmsp': 12, u'samba': 12, u'operator': 12, u'ae': 12, u'af': 12, u'ai': 12, u'aq': 12, u'as': 12, u'au': 12, u'at': 12, u'az': 12, u'adam': 12, u'bg': 12, u'bm': 12, u'bh': 12, u'bi': 12, u'ao': 12, u'aw': 12, u'download': 12, u'be': 12, u'ag': 12, u'an': 12, u'password': 12, u'tom': 11, u'webdev': 11, u'amanda': 11, u'andrew': 11, u'robert': 11, u'user123': 11, u'rpm': 11, u'mailman': 11, u'squid': 11, u'eric': 11, u'ceimail': 10, u'tech': 10, u'seascape': 10, u'123456789': 10, u'shop': 10, u'ircd': 10, u'jobs': 10, u'sea': 10, u'dasusr1': 10, u'michael': 10, u'sandy': 10, u'avg': 10, u'library': 10, u'dre': 9, u'daniel': 9, u'testuser': 9, u'visitor': 9, u'contact': 9, u'hanyut': 9, u'rpcuser': 9, u'manager': 9, u'james': 9, u'sam': 9, u'shopping': 9, u'mailnull': 9, u'telnetd': 9, u'brett': 9, u'desktop': 9, u'bill': 9, u'newsletter': 9, u'rpc': 9, u'stephen': 9, u'hypervm': 9, u'alias': 8, u'carlos': 8, u'gopher': 8, u'rob': 8, u'cvsroot': 8, u'nicole': 8, u'user3': 8, u'mary': 8, u'media': 8, u'apache2': 8, u'r00t': 8, u'fax': 8, u'http': 8, u'print': 8, u'chengs': 8, u'milter': 8, u'database': 8, u'claudia': 8, u'carla': 8, u'video': 8, u'account': 8, u'jks': 8, u'frank': 8, u'martha': 8, u'email': 8, u'mailtest': 8, u'chris': 8, u'neo': 7, u'1234567': 7, u'bank': 7, u'fred': 7, u'maria': 7, u'1234qwer': 7, u'tony': 7, u'dave': 7, u'jean': 7, u'support': 7, u'joseph': 7, u'omega': 7, u'evechan': 7, u'hannah': 7, u'max': 7, u'eggdrop': 7, u'router': 7, u'kevin': 7, u'usuario': 7, u'black': 7, u'admins': 7, u'pop': 7, u'cristina': 7, u'nfsnobody': 7, u'hkoffice': 7, u'lawrence': 7, u'jabber': 7, u'virus': 7, u'identd': 7, u'popa3d': 7, u'user2': 7, u'nasa': 7, u'gabriel': 7, u'jessica': 7, u'unknown': 7, u'sara': 7, u'justin': 7, u'daniela': 7, u'squirrelmail': 6, u'edward': 6, u'ident': 6, u'music': 6, u'bs': 6, u'allan': 6, u'albert': 6, u'paulette': 6, u'db': 6, u'1234567890': 6, u'anderson': 6, u'majordomo': 6, u'tivoli': 6, u'global': 6, u'william': 6, u'bob': 6, u'mynul': 6, u'mukut': 6, u'jim': 6, u'visitante': 6, u'software': 6, u'sophie': 6, u'mark': 6, u'sql': 6, u'share': 6, u'vlad': 6, u'cvsuser': 6, u'help': 6, u'scott': 6, u'root0': 6, u'american': 6, u'windows': 6, u'thomas': 6, u'mohiuddin': 6, u'jeff': 6, u'anthony': 6, u'globus': 6, u'masud': 6, u'carol': 6, u'steven': 6, u'techit': 6, u'delta': 6, u'tomcat4': 6, u'nick': 6, u'simon': 6, u'celia': 6, u'gina': 6, u'usa': 6, u'usr': 6, u'netdump': 6, u'obelix': 6, u'asdfg': 6, u'cpanel': 6, u'sharon': 6, u'mariana': 6, u'tommy': 6, u'sysadmin': 6, u'purchasing': 6, u'staff': 6, u'aron': 6, u'php': 6, u'carrie': 6, u'red': 5, u'worldtrack': 5, u'xfs': 5, u'robin': 5, u'cindy': 5, u'install': 5, u'theo': 5, u'project': 5, u'don': 5, u'alumni': 5, u'jayabharat': 5, u'monica': 5, u'wt': 5, u'it': 5, u'jerry': 5, u'ella': 5, u'portal': 5, u'photo': 5, u'alice': 5, u'post': 5, u'dean': 5, u'abel': 5, u'ipmsl': 5, u'cyan': 5, u'carmen': 5, u'winner': 5, u'angela': 5, u'agent': 5, u'pink': 5, u'sunday': 5, u'gamma': 5, u'tty': 5, u'monitor': 5, u'12345678': 5, u'beth': 5, u'carolina': 5, u'sean': 5, u'carina': 5, u'workshop': 5, u'andrea': 5, u'arnold': 5, u'phayalae': 5, u'rupert': 5, u'summer': 5, u'dovecot': 5, u'zephyr': 5, u'roor': 5, u'patrick': 5, u'power': 5, u'raul': 5, u'marc': 5, u'amber': 5, u'aaron': 5, u'steve': 5, u'lisa': 5, u'susan': 5, u'paulo': 5, u'ktsoni': 5, u'orders': 5, u'alpha': 5, u'ltcg': 5, u'golf': 5, u'darwin': 5, u'alexander': 5, u'shutdown': 5, u'demo1': 5, u'dark': 5, u'kelly': 5, u'arthur': 5, u'zzz': 5, u'webalizer': 5, u'dummy': 5, u'ryan': 5, u'index': 5, u'leo': 5, u'vinno': 5, u'calvin': 5, u'starnet': 5, u'matt': 5, u'adrian': 5, u'dbadmin': 5, u'erika': 5, u'pete': 5, u'movie': 5, u'vcsa': 5, u'april': 5, u'ahsan': 5, u'paula': 5, u'test3': 5, u'elisabeth': 4, u'andra': 4, u'jacob': 4, u'school': 4, u'cher': 4, u'blue': 4, u'new': 4, u'unix': 4, u'henry': 4, u'my': 4, u'india': 4, u'lab': 4, u'rudolf': 4, u'green': 4, u'jack': 4, u'saca': 4, u'eugene': 4, u'silver': 4, u'lorena': 4, u'alec': 4, u'diana': 4, u'marcus': 4, u'stewart': 4, u'pastorcito': 4, u'picky': 4, u'ray': 4, u'horde': 4, u'edge': 4, u'sale': 4, u'bruce': 4, u'webcam': 4, u'agnes': 4, u'indigo': 4, u'rich': 4, u'rebota': 4, u'wu': 4, u'china': 4, u'chloe': 4, u'tina': 4, u'website': 4, u'windowserver': 4, u'canna': 4, u'noc': 4, u'divine': 4, u'purple': 4, u'cora': 4, u'marketing': 4, u'stefan': 4, u'web2': 4, u'alexandra': 4, u'azure': 4, u'herman': 4, u'indiana': 4, u'shit': 4, u'ns': 4, u'pruebaw': 4, u'laura': 4, u'flash': 4, u'brown': 4, u'vladimir': 4, u'cyber': 4, u'angelina': 4, u'jay': 4, u'love': 4, u'dennison': 4, u'franco': 4, u'ovidiu': 4, u'casey': 4, u'kym': 4, u'kurt': 4, u'juanmi': 4, u'monitol': 4, u'albertha': 4, u'lsmith': 4, u'watanabe': 4, u'alfred': 4, u'jane': 4, u'ingres': 4, u'premier': 4, u'adela': 4, u'cassandra': 4, u'zoe': 4, u'beta': 4, u'tracy': 4, u'abraham': 4, u'adolf': 4, u'geo': 4, u'joyd': 4, u'jr': 4, u'ruby': 4, u'antony': 4, u'develop': 4, u'user2athan': 4, u'tecnicos': 4, u'samples': 4, u'jake': 4, u'amy': 4, u'simmons': 4, u'exim': 4, u'ace': 4, u'yasnis': 4, u'adriana': 4, u'manuel': 4, u'felix': 4, u'q1w2e3r4': 4, u'pavila': 4, u'andreea': 4, u'crimson': 4, u'vera': 4, u'elena': 4, u'harry': 4, u'guest123': 4, u'abe': 4, u'christa': 4, u'rocky': 4, u'cathy': 4, u'africa': 4, u'admissions': 4, u'livechat': 4, u'eden': 4, u'rodelle': 4, u'simona': 4, u'virtuoso': 4, u'dragon': 4, u'bryan': 4, u'cady': 4, u'mobilebe': 4, u'cadi': 4, u'grey': 4, u'build': 4, u'Admin': 4, u'mack': 4, u'postgre': 4, u'gold': 4, u'helen': 4, u'condor': 4, u'alicia': 4, u'angie': 4, u'rita': 4, u'mailbox': 4, u'pcap': 4, u'annie': 4, u'simple': 4, u'leon': 4, u'rusticos': 4, u'georgia': 4, u'ioroot': 4, u'appserver': 4, u'tim': 4, u'alvin': 4, u'securityagent': 4, u'kmem': 4, u'ivan': 4, u'passwd': 4, u'anne': 4, u'anna': 4, u'angelo': 4, u'martin': 4, u'wget': 4, u'lenox': 4, u'simulation': 4, u'alison': 4, u'larry': 4, u'komnet': 4, u'matafox': 4, u'ashton': 4, u'zxin10': 4, u'notes': 4, u'magdalena': 4, u'queen': 4, u'jboss': 4, u'luis': 4, u'clare': 4, u'shinzato': 4, u'x-core': 4, u'amalia': 4, u'brian': 4, u'trabajando': 4, u'bind': 4, u'yamaguchi': 4, u'anastacia': 4, u'patryk': 4, u'tyler': 4, u'orange': 4, u'damian': 4, u'luna': 4, u'sim': 4, u'out': 4, u'matrix': 4, u'tempo': 4, u'coleen': 4, u'lists': 4, u'ben': 4, u'reseller': 4, u'vicente': 4, u'servidor': 4, u'linda': 4, u'class': 4, u'pruebal': 4, u'asterix': 4, u'jan': 4, u'bernard': 4, u'gray': 4, u'violet': 4, u'demouser': 4, u'ralph': 4, u'ken': 4, u'joe': 4, u'denis': 4, u'silvia': 4, u'trinity': 4, u'adeline': 4, u'login': 4, u'valerie': 4, u'alka': 4, u'admin123': 4, u'ada': 4, u'smart': 4, u'adolph': 4, u'page': 4, u'biology': 4, u'joyce': 4, u'xmember': 4, u'ivory': 4, u'lynx': 4, u'walter': 4, u'jenny': 4, u'maroon': 4, u'jesse': 4, u'monday': 4, u'cliff': 4, u'magenta': 4, u'elaine': 4, u'suporte': 4, u'gabrielle': 3, u'chen': 3, u'ruben': 3, u'bogdan': 3, u'joshua': 3, u'julie': 3, u'brc': 3, u'shop123': 3, u'guest2': 3, u'work': 3, u'ernest': 3, u'wkuger': 3, u'elizabeth': 3, u'order': 3, u'feedback': 3, u'qwert': 3, u'helena': 3, u'pascal': 3, u'sony': 3, u'eleve': 3, u'content': 3, u'judith': 3, u'quentin': 3, u'demo123': 3, u'youling': 3, u'remote': 3, u'qtss': 3, u'aptproxy': 3, u'brandon': 3, u'mario': 3, u'dot': 3, u'mrtg3': 3, u'mrtg2': 3, u'mrtg1': 3, u'teresa': 3, u'melissa': 3, u'rpcuser123': 3, u'craig': 3, u'basil': 3, u'telnet': 3, u'is': 3, u'in': 3, u'electra': 3, u'elliott': 3, u'nic': 3, u'elly': 3, u'kim': 3, u'darla': 3, u'kid': 3, u'kyle': 3, u'q1w2e3r4t5y6': 3, u'josh': 3, u'bnc': 3, u'vanessa': 3, u'sebastian': 3, u'dorian': 3, u'fox': 3, u'web1': 3, u'ab1cd2ef3': 3, u'melanie': 3, u'eppc': 3, u'donald': 3, u'crystal': 3, u'eliott': 3, u'q1w2e3r4t5': 3, u'oscar': 3, u'tia': 3, u'asterisk': 3, u'reception': 3, u'ron': 3, u'valentin': 3, u'team': 3, u'box': 3, u'baby': 3, u'hector': 3, u'france': 3, u'zuperman': 3, u'dalia': 3, u'rpm123': 3, u'mat': 3, u'may': 3, u'benny': 3, u'felicia': 3, u'smtp': 3, u'appowner': 3, u'space': 3, u'radiomail': 3, u'cyrusimap': 3, u'vpopmail': 3, u'card': 3, u'rachel': 3, u'mrtg': 3, u'white': 3, u'copy': 3, u'recruit': 3, u'delia': 3, u'online': 3, u'corrie': 3, u'nadia': 3, u'samuel': 3, u'ssh': 3, u'roger': 3, u'kernel': 3, u'peiman': 3, u'isabel': 3, u'college': 3, u'dexter': 3, u'marvin': 3, u'dora': 3, u'dario': 3, u'cyndi': 3, u'oliver': 3, u'photos': 3, u'andrei': 3, u'marcel': 3, u'rotciv': 3, u'party': 3, u'lucian': 3, u'pam': 3, u'kelvin': 3, u'weed': 3, u'intergye': 3, u'roxana': 3, u'snort': 3, u'regina': 3, u'ellie': 3, u'vivian': 3, u'mandrake': 3, u'francis': 3, u'wolf': 3, u'image': 3, u'file': 3, u'diablo': 3, u'terry': 3, u'god': 3, u'tv': 3, u'foster': 3, u'comercial': 3, u'billie': 3, u'maggie': 3, u'ted': 3, u'tanya': 3, u'banking': 3, u'public': 3, u'deborah': 3, u'christian': 3, u'rpmrpm': 3, u'search': 3, u'more': 3, u'yolanda': 3, u'aleph': 3, u'nina': 3, u'morgan': 3, u'celina': 3, u'dilli': 3, u'doctor': 3, u'egg': 3, u'filip': 3, u'sameer': 3, u'corine': 3, u'joel': 3, u'secret': 3, u'todd': 3, u'quincy': 3, u'douglas': 3, u'debby': 3, u'lavinia': 3, u'daisy': 3, u'dona': 3, u'eminem': 3, u'eddy': 3, u'jen': 3, u'jordan': 3, u'zachary': 3, u'stu': 3, u'greg': 3, u'dana': 3, u'wilson': 3, u'tokend': 3, u'sherry': 3, u'sandra': 3, u'microsoft': 3, u'jared': 3, u'sunny': 3, u'qwer1234': 3, u'webpop': 3, u'user4': 3, u'spamtest': 3, u'elsa': 3, u'fritz': 3, u'nakao': 3, u'vox': 3, u'monroe': 3, u'cezar': 3, u'doreen': 3, u'qwer': 3, u'courtney': 3, u'easter': 3, u'marco': 3, u'donna': 3, u'ross': 3, u'silence': 3, u'daphne': 3, u'junior': 3, u'paola': 3, u'curt': 3, u'chat': 3, u'ellen': 3, u'jojo': 3, u'larisa': 3, u'jason': 3, u'cynthia': 3, u'alien': 3, u'edu': 3, u'sigmund': 3, u'juliana': 3, u'leonardo': 3, u'joey': 3, u'elisa': 3, u'amavisd': 3, u'judy': 3, u'nicholas': 3, u'bird': 3, u'nozama': 3, u'mauricio': 3, u'lee': 3, u'exchange': 3, u'kufew3': 3, u'sgi': 3, u'harrypotter': 3, u'unreal': 3, u'quinton': 3, u'fran': 3, u'ronald': 3, u'amazon': 3, u'webroot': 3, u'ls': 3, u'carola': 3, u'morris': 3, u'dorothea': 3, u'eugen': 3, u'ricky': 3, u'ricki': 3, u'harold': 3, u'austin': 3, u'echo': 3, u'julian': 3, u'bertha': 3, u'violeta': 3, u'bret': 3, u'charles': 3, u'boris': 3, u'lucky': 3, u'destiny': 3, u'bascketball': 3, u'job': 3, u'dataserv': 3, u'tempuser': 3, u'quin': 3, u'student1': 3, u'spain': 3, u'homer': 3, u'erin': 3, u'will': 3, u'vicky': 3, u'simoni': 3, u'halt': 3, u'matthew': 3, u'killer': 3, u'raymond': 3, u'adelina': 3, u'gloria': 3, u'ashley': 3, u'antonio': 3, u'patricia': 3, u'candy': 3, u'wendy': 3, u'betty': 3, u'sasha': 3, u'dolores': 3, u'ed': 3, u'daniele': 3, u'hp': 3, u'EDI': 3, u'beatrice': 3, u'diego': 3, u'drugs': 3, u'hockey': 3, u'chile': 2, u'four': 2, u'woody': 2, u'hate': 2, u'evelina': 2, u'buddy': 2, u'charlyne': 2, u'nachum': 2, u'callie': 2, u'dorine': 2, u'yellow': 2, u'carys': 2, u'herbert': 2, u'kevin123': 2, u'eustace': 2, u'harriet': 2, u'caryn': 2, u'Ftp': 2, u'neal': 2, u'pyramid': 2, u'zander': 2, u'panda': 2, u'maurta': 2, u'ned': 2, u'asia': 2, u'chaela': 2, u'xena': 2, u'eventos': 2, u'meg': 2, u'zack': 2, u'zach': 2, u'reporter': 2, u'herb': 2, u'hera': 2, u'drew': 2, u'studio': 2, u'mex': 2, u'gerry': 2, u'luther': 2, u'kids': 2, u'cindi': 2, u'reports': 2, u'credit': 2, u'cari': 2, u'savanna': 2, u'quarnstrom': 2, u'reagan': 2, u'class2005': 2, u'sloane': 2, u'musiq': 2, u'tanaka': 2, u'spike': 2, u'cala': 2, u'adam123': 2, u'giovanni': 2, u'adnan': 2, u'irvin': 2, u'mb': 2, u'mv': 2, u'carmel': 2, u'keegan': 2, u'chanda': 2, u'terance': 2, u'joana': 2, u'machine': 2, u'faxfax': 2, u'ria': 2, u'zed': 2, u'octav': 2, u'kwan': 2, u'italy': 2, u'law': 2, u'royce': 2, u'00089': 2, u'cheri': 2, u'harley': 2, u'danna': 2, u'operations': 2, u'admin1': 2, u'bella': 2, u'nachtsheim': 2, u'london': 2, u'oswald': 2, u'christin': 2, u'christie': 2, u'garry': 2, u'oracle123': 2, u'rowland': 2, u'cassiopeia': 2, u'elyzabeth': 2, u'yasmine': 2, u'loraine': 2, u'carha': 2, u'yasmina': 2, u'lillian': 2, u'chuck': 2, u'celese': 2, u'ingrid': 2, u'debug': 2, u'briana': 2, u'hsiao': 2, u'roxy': 2, u't1na': 2, u'wednesday': 2, u'doug': 2, u'laboratory': 2, u'truman': 2, u'saturday': 2, u'chrissie': 2, u'oprah': 2, u'mandy': 2, u'mason': 2, u'gov': 2, u'everett': 2, u'tasha': 2, u'nabb': 2, u'caprice': 2, u'isa': 2, u'louie': 2, u'nigel': 2, u'timothy': 2, u'top': 2, u'peggie': 2, u'gilbert': 2, u'tod': 2, u'caitlyn': 2, u'casandra': 2, u'chantel': 2, u'geena': 2, u'wynonna': 2, u'stacee': 2, u'matteo': 2, u'williams': 2, u'stacey': 2, u'cayla': 2, u'ilene': 2, u'quarchioni': 2, u'raj': 2, u'ming': 2, u'nabors': 2, u'caley': 2, u'ocean': 2, u'rudolph': 2, u'chrystal': 2, u'snow': 2, u'derek': 2, u'susie': 2, u'faye': 2, u'tye': 2, u'object': 2, u'chriss': 2, u'cailine': 2, u'doc': 2, u'nabiesa': 2, u'random': 2, u'carmelita': 2, u'liza': 2, u'nevada': 2, u'louisa': 2, u'claude': 2, u'menu': 2, u'cashlin': 2, u'rick': 2, u'ldap': 2, u'wonda': 2, u'madalina': 2, u'rica': 2, u'roseanne': 2, u'christopher': 2, u'nathan': 2, u'chanel': 2, u'earl': 2, u'gareth': 2, u'tftper': 2, u'guns': 2, u'cleta': 2, u'julien': 2, u'cleo': 2, u'clea': 2, u'lexus': 2, u'best': 2, u'juliet': 2, u'brazil': 2, u'mitch': 2, u'nabisah': 2, u'artificial': 2, u'keisha': 2, u'mel': 2, u'muh': 2, u'arcer': 2, u'jasmine': 2, u'theresa': 2, u'sharleen': 2, u'ircop': 2, u'edgar': 2, u'raphaela': 2, u'brad': 2, u'nameserver': 2, u'com': 2, u'darian': 2, u'sullivan': 2, u'royal': 2, u'karen': 2, u'sal': 2, u'riley': 2, u'sydney': 2, u'chun': 2, u'caterina': 2, u'xxx': 2, u'irving': 2, u'carlota': 2, u'manet': 2, u'vikky': 2, u'forum': 2, u'charisse': 2, u'charissa': 2, u'jerald': 2, u'veronica': 2, u'seven': 2, u'class2004': 2, u'mexico': 2, u'iq': 2, u'jackie': 2, u'cinda': 2, u'madonna': 2, u'mouse': 2, u'id': 2, u'roderic': 2, u'camellia': 2, u'sammer': 2, u'hank': 2, u'leroy': 2, u'theodore': 2, u'kip': 2, u'theodora': 2, u'florin': 2, u'kit': 2, u'pubs': 2, u'tyson': 2, u'larissa': 2, u'dylan': 2, u'lucas': 2, u'dorin': 2, u'charlie': 2, u'dallas': 2, u'chantelle': 2, u'chamille': 2, u'protocol': 2, u'laptop': 2, u'ginnie': 2, u'christyn': 2, u'ciara': 2, u'secure': 2, u'hal': 2, u'eustaces': 2, u'cherry': 2, u'wright': 2, u'board': 2, u'suzan': 2, u'east': 2, u'gregg': 2, u'vin': 2, u'nabeil': 2, u'julia': 2, u'judge': 2, u'picasso': 2, u'arao': 2, u'bobby': 2, u'lily': 2, u'mit': 2, u'clementine': 2, u'old': 2, u'jarod': 2, u'oli': 2, u'jennifer': 2, u'chenoa': 2, u'steph': 2, u'olga': 2, u'christmas': 2, u'localhost': 2, u'core': 2, u'payment': 2, u'burt': 2, u'yoko': 2, u'phillip': 2, u'coral': 2, u'chumani': 2, u'cherish': 2, u'cherise': 2, u'marshal': 2, u'corrina': 2, u'cathrine': 2, u'duke': 2, u'farrell': 2, u'tyrell': 2, u'maxwell': 2, u'sapdb': 2, u'lois': 2, u'device': 2, u'mambo': 2, u'jena': 2, u'malcom': 2, u'gib': 2, u'gia': 2, u'gil': 2, u'happy': 2, u'naaseh': 2, u'1qazxsw2': 2, u'lenny': 2, u'wwwdata': 2, u'zena': 2, u'jaimie': 2, u'octavius': 2, u'cassia': 2, u'esteban': 2, u'archive': 2, u'encrypt': 2, u'us': 2, u'na': 2, u'chucky': 2, u'richie': 2, u'tess': 2, u'phoenix': 2, u'devon': 2, u'maureen': 2, u'deepak': 2, u'hannes': 2, u'cathleen': 2, u'bambi': 2, u'qwpoeriuty': 2, u'paige': 2, u'leslie': 2, u'chaim': 2, u'caleigh': 2, u'roy': 2, u'parker': 2, u'informix': 2, u'velma': 2, u'colleen': 2, u'ros': 2, u'quarneri': 2, u'vpn': 2, u'lotus': 2, u'hellen': 2, u'jazmin': 2, u'yasmin': 2, u'cathie': 2, u'tear': 2, u'gus': 2, u'guy': 2, u'meadow': 2, u'htt': 2, u'trent': 2, u'elton': 2, u'barbie': 2, u'eliza': 2, u'celestine': 2, u'maximilian': 2, u'axel': 2, u'cecily': 2, u'zeph': 2, u'vergil': 2, u'gladys': 2, u'change': 2, u'ftpadmin': 2, u'buck': 2, u'jeanine': 2, u'nobody123': 2, u'ydnah': 2, u'cinnamon': 2, u'doris': 2, u'ciel': 2, u'sistemas': 2, u'cailin': 2, u'hotels': 2, u'monika': 2, u'angry': 2, u'testaccount': 2, u'peru': 2, u'tmpuser': 2, u'chocolate': 2, u'carissa': 2, u'test5': 2, u'autumn': 2, u'wanda': 2, u'car': 2, u'jude': 2, u'cat': 2, u'cai': 2, u'three': 2, u'nachazel': 2, u'webster': 2, u'fulton': 2, u'natasha': 2, u'dedicated': 2, u'december': 2, u'chip': 2, u'winston': 2, u'fuck': 2, u'topic': 2, u'earleen': 2, u'gabby': 2, u'reed': 2, u'caressa': 2, u'dennis': 2, u'caresse': 2, u'clair': 2, u'ferdinand': 2, u'winter': 2, u'sidney': 2, u'parcy': 2, u'xgridcontroller': 2, u'osborne': 2, u'mad': 2, u'date': 2, u'rickey': 2, u'nabeel': 2, u'june': 2, u'su': 2, u'osborn': 2, u'casidhe': 2, u'cole': 2, u'wallace': 2, u'chalice': 2, u'tweety': 2, u'cheyenne': 2, u'kacey': 2, u'rolph': 2, u'adrian123': 2, u'tucker': 2, u'hamilton': 2, u'ritchie': 2, u'ftpusr01': 2, u'ileana': 2, u'jamey': 2, u'fabian': 2, u'xrj': 2, u'rock': 2, u'irine': 2, u'lizabeth': 2, u'ahmad': 2, u'year': 2, u'fredrick': 2, u'winona': 2, u'album': 2, u'dudley': 2, u'jackson': 2, u'whiteley': 2, u'pamela': 2, u'kent': 2, u'internet': 2, u'cissy': 2, u'ajay': 2, u'chava': 2, u'carl': 2, u'cara': 2, u'chavi': 2, u'marla': 2, u'lucius': 2, u'cyrus123': 2, u'sven': 2, u'test2res': 2, u'gordon': 2, u'romania': 2, u'one': 2, u'carry': 2, u'open': 2, u'osbourne': 2, u'gertrude': 2, u'ian': 2, u'bianca': 2, u'Monday': 2, u'cassondra': 2, u'virgil': 2, u'chastity': 2, u'hillary': 2, u'calantha': 2, u'goba': 2, u'cvsuser1': 2, u'mathilda': 2, u't120': 2, u'constanza': 2, u'rodrique': 2, u'sophia': 2, u'slaw': 2, u'test4': 2, u'sad': 2, u'conversion': 2, u'aslkdfjh': 2, u'note': 2, u'bailey': 2, u'caralee': 2, u'printer': 2, u'norman': 2, u'trace': 2, u'loyd': 2, u'sherman': 2, u'roxie': 2, u'connor': 2, u'michelle': 2, u'chrysanta': 2, u'phil': 2, u'rosalin': 2, u'german': 2, u'bchavez': 2, u'percy': 2, u'jaqueline': 2, u'geography': 2, u'merlin': 2, u'romanian': 2, u'dick': 2, u'gnax': 2, u'naarden': 2, u'admin2': 2, u'oinstall': 2, u'kiki': 2, u'postgress': 2, u'candita': 2, u'accounts1': 2, u'stacie': 2, u'egghead': 2, u'testbox': 2, u'lnx': 2, u'coletta': 2, u'stanley': 2, u'sport': 2, u'calan': 2, u'tylor': 2, u'harvey': 2, u'mihai': 2, u'ROOT': 2, u'tisha': 2, u'tania': 2, u'august': 2, u'kristal': 2, u'timmy': 2, u'webchat': 2, u'sparc': 2, u'elijah': 2, u'joby': 2, u'cedric': 2, u'mona': 2, u'natasa': 2, u'jericho': 2, u'tour': 2, u'abc123': 2, u'chaya': 2, u'firewall': 2, u'poq': 2, u'user5': 2, u'kev': 2, u'callista': 2, u'lidia': 2, u'howard': 2, u'west': 2, u'porsche': 2, u'carey': 2, u'cecelia': 2, u'edmund': 2, u'protocolo': 2, u'elvis': 2, u'tiger': 2, u'rugby': 2, u'polly': 2, u'fnet': 2, u'washington': 2, u'isabelle': 2, u'casi': 2, u'coco': 2, u'cock': 2, u'troy': 2, u'suse': 2, u'ftpin': 2, u'GNU': 2, u'candace': 2, u'technology': 2, u'susane': 2, u'etc': 2, u'edwin': 2, u'nabi': 2, u'emely': 2, u'cassie': 2, u'eva': 2, u'db4web': 2, u'downloads': 2, u'harris': 2, u'muthu': 2, u'loreen': 2, u'bryce': 2, u'narcissa': 2, u'frankie': 2, u'noah': 2, u'toby': 2, u'roxane': 2, u'jule': 2, u'harrison': 2, u'baldwin': 2, u'hayley': 2, u'kirk': 2, u'cloris': 2, u'rose': 2, u'kimberly': 2, u'careers': 2, u'catrina': 2, u'virginia': 2, u'earnest': 2, u'phpbb': 2, u'rebecca': 2, u'robbie': 2, u'sales123': 2, u'walt': 2, u'christina': 2, u'beverly': 2, u'inter': 2, u'ventas': 2, u'simulator': 2, u'lorene': 2, u'garey': 2, u'eddie': 2, u'charnette': 2, u'naas': 2, u'joan': 2, u'chloris': 2, u'shaq': 2, u'addicted': 2, u'lucy': 2, u'chalise': 2, u'on': 2, u'ok': 2, u'oz': 2, u'barry': 2, u'ro0tTri!10biteS': 2, u'gregory': 2, u'teddy': 2, u'clarice': 2, u'penelope': 2, u'accounts': 2, u'charla': 2, u'wade': 2, u'cati': 2, u'shelly': 2, u'cherlin': 2, u'mdb': 2, u'liane': 2, u'lou': 2, u'racquel': 2, u'trey': 2, u'spider': 2, u'vickie': 2, u'PostgreSQL': 2, u'thelma': 2, u'kiscica123': 2, u'october': 2, u'stanford': 2, u'pule': 2, u'freddy': 2, u'miguel': 2, u'russ': 2, u'taylor': 2, u'johnny': 2, u'student2': 2, u'catrin': 2, u'eliot': 2, u'heather': 2, u'pmok': 2, u'collin': 2, u'caltech': 2, u'sql123': 2, u'shaun': 2, u'nabkel': 2, u'miriam': 2, u'terra': 2, u'walker': 2, u'brandy': 2, u'perry': 2, u'Dragon': 2, u'natalie': 2, u'ileen': 2, u'cally': 2, u'raphael': 2, u'calla': 2, u'calli': 2, u'sandie': 2, u'nagiosuser': 2, u'cameron': 2, u'claudiane': 2, u'jerome': 2, u'chesna': 2, u'griffin': 2, u'keith': 2, u'thursday': 2, u'homepage': 2, u'norm': 2, u'esther': 2, u'rod': 2, u'sloan': 2, u'candie': 2, u'candida': 2, u'zoey': 2, u'chasity': 2, u'candide': 2, u'shania': 2, u'carlene': 2, u'lillie': 2, u'gerrard': 2, u'roz': 2, u'donovan': 2, u'charlize': 2, u'chandelle': 2, u'ten': 2, u'gayle': 2, u'robyn': 2, u'design': 2, u'ftpguest': 2, u'cornelia': 2, u'silvester': 2, u'sue': 2, u'nano': 2, u'rosaleen': 2, u'cameryn': 2, u'kate': 2, u'sus': 2, u'n2h2': 2, u'christi': 2, u'kaitlin': 2, u'ceara': 2, u'sa': 2, u'christy': 2, u'november': 2, u'strong': 2, u'cordelia': 2, u'stella': 2, u'Victor': 2, u'jazmine': 2, u'family': 2, u'catarina': 2, u'florence': 2, u'select': 2, u'jayme': 2, u'nabil': 2, u'two': 2, u'evelyn': 2, u'jannine': 2, u'turbo': 2, u'r0x1ng': 2, u'leonard': 2, u'cleantha': 2, u'nabavi': 2, u'chardonnay': 2, u'ramana': 2, u'science': 2, u'nine': 2, u'deb': 2, u'sniper': 2, u'renato': 2, u'scan': 2, u'atena': 2, u'celine': 2, u'cherie': 2, u'chardae': 2, u'hugo': 2, u'xaviar': 2, u'perl': 2, u'sonia': 2, u'pat': 2, u'rudy': 2, u'xaviera': 2, u'dorms': 2, u'jodie': 2, u'celene': 2, u'marlon': 2, u'celena': 2, u'trevor': 2, u'dolph': 2, u'leroi': 2, u'september': 2, u'fraser': 2, u'carmela': 2, u'logan': 2, u'testrese': 2, u'cammie': 2, u'developer': 2, u'mateo': 2, u'melisa': 2, u'gerald': 2, u'zxin': 2, u'scot': 2, u'isaac': 2, u'girl': 2, u'lacey': 2, u'susana': 2, u'good': 2, u'curtis': 2, u'otto': 2, u'hunter': 2, u'damon': 2, u'rosaline': 2, u'eugenia': 2, u'casie': 2, u'vivianne': 2, u'chandra': 2, u'mexmex': 2, u'neil': 2, u'tiffany': 2, u'jeffrey': 2, u'mackenzie': 2, u'lola': 2, u'flower': 2, u'ernie': 2, u'samantha': 2, u'beavis': 2, u'benjamin': 2, u'jeremiah': 2, u'friday': 2, u'netstat': 2, u'darius': 2, u'ftpout': 2, u'nabsiah': 2, u'reseller01': 2, u'reseller02': 2, u'kathrine': 2, u'randall': 2, u'kathrina': 2, u'naberhuis': 2, u'barbara': 2, u'sylvester': 2, u'rona': 2, u'jhonny': 2, u'nace': 2, u'naci': 2, u'valentine': 2, u'lorainne': 2, u'mlmb': 2, u'storm': 2, u'kailey': 2, u'apolo': 2, u'jed': 2, u'giselle': 2, u'hotel': 2, u'marylyn': 2, u'valdeir': 2, u'dbmaker': 2, u'grace': 2, u'king': 2, u'grep': 2, u'charlot': 2, u'claudiu': 2, u'mickey': 2, u'charna': 2, u'garfield': 2, u'lib': 2, u'shelby': 2, u'florian': 2, u'client': 2, u'liz': 2, u'caroleen': 2, u'play': 2, u'vnc': 2, u'english': 2, u'charu': 2, u'freddie': 2, u'charo': 2, u'services': 2, u'kay': 2, u'ronny': 2, u'kb': 2, u'chester': 2, u'clarisa': 2, u'gabe': 2, u'physics': 2, u'choco': 2, u'access': 2, u'kaleb': 2, u'rocket': 2, u'duncan': 2, u'justice': 2, u'wayne': 2, u'colby': 2, u'john123': 2, u'test8': 2, u'moses': 2, u'jhonathan': 2, u'luke': 2, u'calliope': 2, u'jeanna': 2, u'catina': 2, u'trudy': 2, u'bytes': 2, u'changeme': 2, u'rajesh': 2, u'coetta': 2, u'vincent': 2, u'zorro': 2, u'bart': 2, u'maurice': 2, u'jade': 2, u'psybnc': 2, u'kylix': 2, u'charlette': 2, u'testertester': 2, u'close': 2, u'naaima': 2, u'tatiana': 2, u'admin321': 2, u'tristan': 2, u'jerrard': 2, u'c': 2, u'last': 2, u'secrets': 2, u'jocelyn': 2, u'keaton': 2, u'sex': 2, u'chaunte': 2, u'goverment': 2, u'camie': 2, u'smith': 2, u'celeste': 2, u'gypsy': 2, u'sammy': 2, u'ps': 2, u'rox': 2, u'geoffrey': 2, u'cloey': 2, u'qmailq': 2, u'harmonie': 2, u'chandler': 2, u'pm': 2, u'kathy': 2, u'ram': 2, u'gay': 2, u'boy': 2, u'whitney': 2, u'wyatt': 2, u'pace': 2, u'nate': 2, u'luciana': 2, u'mdom': 2, u'guide': 2, u'soporte': 2, u'finalwish': 2, u'kurtis': 2, u'leann': 2, u'ebay': 2, u'chase': 2, u'nichole': 2, u'barney': 2, u'elana': 2, u'grant': 2, u'webtest': 2, u'nabumasa': 2, u'viola': 2, u'ruth': 2, u'franklin': 2, u'selma': 2, u'syd': 2, u'jesica': 2, u'stacy': 2, u'test12345': 2, u'louis': 2, u'vscan': 2, u'chang': 2, u'daren': 2, u'bouncer': 2, u'rafael': 2, u'leona': 2, u'chemistry': 2, u'ozzie': 2, u'hotdog': 2, u'sunos': 2, u'mgonzalez': 2, u'selby': 2, u'chanelle': 2, u'forrest': 2, u'prince': 2, u'test6': 2, u'chavon': 2, u'calista': 2, u'huey': 2, u'cheryl': 2, u'march': 2, u'marci': 2, u'marcy': 2, u'projects': 2, u'mariah': 2, u'calypso': 2, u'marian': 2, u'donny': 2, u'marlin': 2, u'candice': 2, u'gopher123': 2, u'alexandre': 2, u'fucking': 2, u'spring': 2, u'dangaard': 2, u'resin': 2, u'demodemo': 2, u'gracie': 2, u'pen': 2, u'bogus': 2, u'chantilly': 2, u'peg': 2, u'cgi': 2, u'stef': 2, u'hellena': 2, u'santa': 2, u'caron': 2, u'ingresdb': 2, u'faith': 2, u'snoop': 2, u'emmy': 2, u'camelia': 2, u'brooklyn': 2, u'cece': 2, u'stuart': 2, u'gallagher': 2, u'charys': 2, u'dwight': 2, u'jimmy': 2, u'clinton': 2, u'webhost': 2, u'carlton': 2, u'financeiro': 2, u'madalin': 2, u'pentagon': 2, u'katie': 2, u'sonny': 2, u'isabell': 2, u'tigger': 2, u'submit': 2, u'bios': 2, u'charmaine': 2, u'debbie': 2, u'fabio': 2, u'invite': 2, u'murphy': 2, u'lydia': 2, u'jacki': 2, u'chelsey': 2, u'erick': 2, u'erica': 2, u'uk': 2, u'chelsea': 2, u'butthead': 2, u'scarlet': 2, u'lyn': 2, u'graham': 2, u'lyle': 2, u'peter': 2, u'tara': 2, u'sqlsql': 2, u'lucia': 2, u'calandra': 2, u'evan': 2, u'ryana': 2, u'geraldine': 2, u'chynna': 2, u'kaylie': 2, u'rewt': 2, u'rabbit': 2, u'gp': 2, u'codi': 2, u'vinnie': 2, u'qpalzm': 2, u'rhonda': 2, u'carley': 2, u'carmelie': 2, u'maddie': 2, u'cesar': 2, u'lilly': 2, u'scarlett': 2, u'garret': 2, u'consuela': 2, u'games123': 2, u'winnie': 2, u'kitty': 2, u'consuelo': 2, u'confixx': 2, u'isaiah': 2, u'carman': 2, u'nabesa': 2, u'magic': 2, u'lynda': 2, u'eve': 2, u'gretta': 2, u'julius': 2, u'race': 2, u'roscoe': 2, u'carter': 2, u'carly': 2, u'osvaldo': 2, u'naomi': 2, u'edison': 2, u'kris': 2, u'laurence': 2, u'camile': 2, u'susanne': 2, u'susanna': 2, u'phoebe': 2, u'Monday44': 2, u'FTP': 2, u'nachi': 2, u'desiree': 2, u'lex': 2, u'webportal': 2, u'ruthie': 2, u'qmaill': 2, u'cera': 2, u'cleopatra': 2, u'chynnah': 2, u'rufus': 2, u'qmailr': 2, u'qmails': 2, u'qmailp': 2, u'peterpan': 2, u'sheila': 2, u'clark': 2, u'win': 2, u'wil': 2, u'channon': 2, u'manny': 2, u'kenny': 2, u'cloud': 2, u'droopy': 2, u'lesly': 2, u'next': 2, u'develina': 2, u'capri': 2, u'randy': 2, u'testtest123': 2, u'reynold': 2, u'denys': 2, u'src': 2, u'carlie': 2, u'connie': 2, u'charity': 2, u'sample': 2, u'britney': 2, u'emerson': 2, u'control': 2, u'tar': 2, u'cierra': 2, u'enrique': 2, u'lenore': 2, u'gene': 2, u'six': 2, u'lesley': 2, u'camilla': 2, u'forest': 2, u'sid': 2, u'jhow': 2, u'cameren': 2, u'luigi': 2, u'fitz': 2, u'abuse': 2, u'dominick': 2, u'tomato': 2, u'laurie': 2, u'nancy': 2, u'clarissa': 2, u'evelyne': 2, u'joanne': 2, u'meteo': 2, u'joanna': 2, u'posfix': 2, u'charlene': 2, u'warren': 2, u'glen': 2, u'caitlen': 2, u'bridget': 2, u'jodi': 2, u'sabrina': 2, u'dustin': 2, u'carole': 2, u'gwenyth': 2, u'freeman': 2, u'docs': 2, u'auth': 2, u'brand': 2, u'snoopy': 2, u'terence': 2, u'dax': 2, u'day': 2, u'february': 2, u'atendimento': 2, u'darcy': 2, u'naadland': 2, u'denzel': 2, u'warner': 2, u'eula': 2, u'caimile': 2, u'chyna': 2, u'carlotta': 2, u'wally': 2, u'math': 2, u'chaeli': 2, u'sendmail': 2, u'cordia': 2, u'charis': 2, u'harriett': 2, u'transfer': 2, u'jill': 2, u'york': 2, u'philip': 2, u'godfrey': 2, u'horace': 2, u'humphrey': 2, u'south': 2, u'collice': 2, u'chavonne': 2, u'justine': 2, u'bitch': 2, u'start': 2, u'cvsadmin': 2, u'mkdir': 2, u'hilary': 2, u'ryley': 2, u'vishnu': 2, u'news123': 2, u'norton': 2, u'carleen': 2, u'skyrix': 2, u'seymour': 2, u'greta': 2, u'megan': 2, u'tommie': 2, u'ludovic': 2, u'july': 2, u'ifconfig': 2, u'roberta': 2, u'bea': 2, u'roberto': 2, u'cerita': 2, u'sec': 2, u'chelsie': 2, u'clio': 2, u'cecil': 2, u'eryn': 2, u'cherylyn': 2, u'tomaso': 2, u'admosfer': 2, u'fin4lwish': 2, u'octavia': 2, u'charmyn': 2, u'prueba2': 2, u'prueba3': 2, u'prueba1': 2, u'chantell': 2, u'johnathan': 2, u'hiphop': 2, u'montana': 2, u'eight': 2, u'sally': 2, u'manoj': 2, u'quardo': 2, u'rodica': 2, u'chablis': 2, u'xavier': 2, u'catalina': 2, u'brenda': 2, u'scotty': 2, u'florentina': 2, u'lloyd': 2, u'fax123': 2, u'cherryl': 2, u'cicely': 2, u'cache': 2, u'ethan': 2, u'alex123': 2, u'sylvia': 2, u'local': 2, u'lynn': 2, u'rocco': 2, u'titus': 2, u'ripley': 2, u'mercedes': 2, u'gibson': 2, u'view': 2, u'freeze': 2, u'travis': 2, u'computer': 2, u'goddard': 2, u'darkblue': 2, u'trish': 2, u'www-admin': 2, u'calhoun': 2, u'bruno': 2, u'cicily': 2, u'cassidy': 2, u'leyla': 2, u'janet': 2, u'duane': 2, u'merry': 2, u'robby': 2, u'ronda': 2, u'xgridagent': 2, u'vernon': 2, u'rodney': 2, u'zeke': 2, u'christen': 2, u'clodia': 2, u'tuesday': 2, u'scanner': 2, u'willy': 2, u'elmer': 2, u'bbb': 2, u'nellie': 2, u'webdeveloper': 2, u'ftpsecure': 2, u'filippo': 2, u'penny': 2, u'chassity': 2, u'vince': 2, u'jody': 2, u'augusta': 2, u'nabih': 2, u'jeanette': 2, u'dasusr': 2, u'site': 2, u'sherlock': 2, u'rodrigo': 2, u'russel': 2, u'juan': 2, u'ina': 2, u'member': 2, u'quarles': 2, u'wolfgang': 2, u'mauro': 2, u'columbia': 2, u'craigh': 2, u'seth': 2, u'chassady': 2, u'samir': 2, u'test7': 2, u'less': 2, u'test9': 2, u'liliana': 2, u'patric': 2, u'Sunday': 2, u'dakota': 2, u'naty': 2, u'suellen': 2, u'sky': 2, u'handy': 2, u'toni': 2, u'calina': 2, u'geffrey': 2, u'livia': 2, u'monique': 2, u'five': 2, u'attila': 2, u'lincoln': 2, u'lilian': 2, u'adabas': 2, u'january': 2, u'soft': 2, u'candi': 2, u'gillian': 2, u'webbox': 2, u'jeremy': 2, u'leah': 2, u'ralf': 2, u'marilena': 2, u'christiana': 2, u'slut': 2, u'ridley': 2, u'host': 2, u'leopold': 2, u'panel': 2, u'iris': 2, u'vamalc': 2, u'tomi': 2, u'carolyn': 2, u'glenn': 2, u'pussy': 2, u'val': 2, u'cinderella': 2, u'mailusers': 2, u'claral': 2, u'north': 2, u'rodger': 2, u'shana': 2, u'caitlin': 2, u'gaynor': 2, u'guinevre': 2, u'editing': 2, u'bud': 2, u'bradley': 2, u'baptist': 2, u'carmella': 2, u'hosting': 2, u'buffy': 2, u'maura': 2, u'camryn': 2, u'erik': 2, u'mya': 2, u'education': 2, u'draco': 2, u'pussycat': 2, u'nabisco': 2, u'angelofdeath': 2, u'marius': 2, u'rian': 2, u'lance': 2, u'hacker': 2, u'star': 2, u'cassarah': 2, u'rex': 2, u'margaret': 2, u'mgomez': 2, u'davy': 2, u'leonam': 2, u'stan': 2, u'sybil': 2, u'wilma': 2, u'usertest': 2, u'mantest': 1, u'info123': 1, u'naiyer': 1, u'cretu': 1, u'ninanina': 1, u'elvina': 1, u'adm123': 1, u'alex321': 1, u'crete': 1, u'suzana': 1, u'quimby': 1, u'marcos': 1, u'paris': 1, u'komtemp': 1, u'nakul': 1, u'nadgia': 1, u'quimado': 1, u'nistor': 1, u'pysco': 1, u'delu': 1, u'tanakatanaka': 1, u'dan321': 1, u'rachail': 1, u'elissa': 1, u'intsup': 1, u'eileen': 1, u'dianthe': 1, u'quatrefage': 1, u'sk01': 1, u'darrian': 1, u'eleanora': 1, u'nair': 1, u'eleanore': 1, u'nail': 1, u'naim': 1, u'naik': 1, u'naif': 1, u'nahabedian': 1, u'manux': 1, u'quinteros': 1, u'lukman': 1, u'raddalgoda': 1, u'sandra123': 1, u'nee': 1, u'selena': 1, u'radomir': 1, u'dory': 1, u'dineen': 1, u'dore': 1, u'rabiah': 1, u'ching': 1, u'rabian': 1, u'path': 1, u'dori': 1, u'102938': 1, u'333': 1, u'karim': 1, u'cretzu': 1, u'sientelo': 1, u'cpanel123': 1, u'nafzgar': 1, u'racioppi': 1, u'eboni': 1, u'nadirpour': 1, u'quiroz': 1, u'janine': 1, u'baltazar': 1, u'ebony': 1, u'vjohnson': 1, u'radosevich': 1, u'quindo': 1, u'hiroi': 1, u'elloise': 1, u'nathan123': 1, u'capital': 1, u'loveyou': 1, u'danilee': 1, u'nullmail': 1, u'yahoo': 1, u'guest6': 1, u'guest7': 1, u'guest4': 1, u'guest5': 1, u'guest3': 1, u'guest1': 1, u'guest8': 1, u'guest9': 1, u'shoot': 1, u'doda': 1, u'join': 1, u'dodi': 1, u'quilala': 1, u'mk': 1, u'movies': 1, u'kamran': 1, u'raasch': 1, u'darleen': 1, u'222222': 1, u'damemma': 1, u'uucp123': 1, u'tiffeny': 1, u'ready': 1, u'GIS': 1, u'gordi': 1, u'quartermain': 1, u'quiller': 1, u'travel': 1, u'LK': 1, u'quehl': 1, u'ens': 1, u'quillen': 1, u'quoi': 1, u'quon': 1, u'quintero': 1, u'telmo': 1, u'faq': 1, u'ntp123': 1, u'olimpic': 1, u'nadezda': 1, u'smoke': 1, u'matt123': 1, u'mago123': 1, u'vagelis': 1, u'nadyne': 1, u'frederic': 1, u'admin01': 1, u'anita': 1, u'updater': 1, u'rivka': 1, u'helene': 1, u'qaz': 1, u'famille': 1, u'edita': 1, u'rabolin': 1, u'better': 1, u'carlo321': 1, u'destry': 1, u'coffee': 1, u'nightcat': 1, u'newuser1': 1, u'bang': 1, u'galaxy': 1, u'jesus': 1, u'sync123': 1, u'queuer': 1, u'alexis': 1, u'anastasia': 1, u'luca': 1, u'wemaster': 1, u'nik': 1, u'bernard123': 1, u'vava': 1, u'milan': 1, u'gates': 1, u'maria123': 1, u'corlena': 1, u'quocanh': 1, u'quirin': 1, u'sopporte': 1, u'mago321': 1, u'nakajima': 1, u'ra': 1, u'creola': 1, u'rm': 1, u'33333333': 1, u'kaylu': 1, u'resume': 1, u'quenderff': 1, u'karim123': 1, u'querengesser': 1, u'free': 1, u'vivian123': 1, u'quevillon': 1, u'delphine': 1, u'angus': 1, u'dorinda': 1, u'nadern': 1, u'nafisha': 1, u'suva': 1, u'damaris': 1, u'creatza': 1, u'nfsroot': 1, u'davita': 1, u'dione': 1, u'system': 1, u'8888888': 1, u'gmorris': 1, u'nalepa': 1, u'raabel': 1, u'radmila': 1, u'rabara': 1, u'paredes123': 1, u'deiondre': 1, u'bernard321': 1, u'quinta': 1, u'unosol': 1, u'nahr': 1, u'maria321': 1, u'chiune': 1, u'quatrida': 1, u'carmen321': 1, u'bebe': 1, u'bartolomeu': 1, u'rachmaninoff': 1, u'nain': 1, u'natty': 1, u'nakaso': 1, u'triplex': 1, u'countess': 1, u'rad': 1, u'rab': 1, u'rac': 1, u'rainman': 1, u'sara321': 1, u'statd': 1, u'ogam': 1, u'bestrella321': 1, u'patrick321': 1, u'quill': 1, u'masterpost': 1, u'ulrich': 1, u'haisou': 1, u'dessa': 1, u'anthony123': 1, u'naegeli': 1, u'nagaraja': 1, u'naidu': 1, u'kelly123': 1, u'nagaoka': 1, u'undernet': 1, u'johan': 1, u'professor': 1, u'dorcas': 1, u'quensetta': 1, u'yuzhakov': 1, u'quezada': 1, u'elvenia': 1, u'financ': 1, u'soren': 1, u'edeline': 1, u'rabayda': 1, u'donelle': 1, u'radit': 1, u'quevrin': 1, u'radio': 1, u'edana': 1, u'nadeem': 1, u'paymaster': 1, u'z1x2c3': 1, u'georgiana': 1, u'sugar': 1, u'rico': 1, u'stephane': 1, u'jack123': 1, u'df': 1, u'plato': 1, u'watson': 1, u'agostino': 1, u'ramaker': 1, u'nagako': 1, u'rena': 1, u'ema': 1, u'albert321': 1, u'bad': 1, u'rudiger': 1, u'cybil': 1, u'racine': 1, u'david\\tdavid': 1, u'querbach': 1, u'nameuser': 1, u'fluffy': 1, u'inapp': 1, u'daemondaemon': 1, u'jimroid': 1, u'nalder': 1, u'rf': 1, u'delores': 1, u'quyen': 1, u'imissu': 1, u'nadler': 1, u'ron123': 1, u'manuelle': 1, u'clamaw': 1, u'alina321': 1, u'666666': 1, u'dearletta': 1, u'fluffy321': 1, u'vivian321': 1, u'xchat': 1, u'operador': 1, u'tini': 1, u'cod': 1, u'elinor': 1, u'bran': 1, u'quinz': 1, u'quint': 1, u'quini': 1, u'nako': 1, u'quinn': 1, u'carol123': 1, u'racho': 1, u'nahrgang': 1, u'billina': 1, u'nadiya': 1, u'dustine': 1, u'fri': 1, u'dustina': 1, u'tiny': 1, u'beer': 1, u'andrew123': 1, u'rossy123': 1, u'rabendar': 1, u'anamaria': 1, u'masters': 1, u'dava': 1, u'22222222': 1, u'garcia': 1, u'rebeca': 1, u'gnu': 1, u'qvist': 1, u'naginder': 1, u'eric321': 1, u'test10': 1, u'devra': 1, u'della': 1, u'ip': 1, u'0000000': 1, u'player': 1, u'quarrie': 1, u'PlcmSpIp': 1, u'pics': 1, u'najarro': 1, u'quenneville': 1, u'eric123': 1, u'powers': 1, u'apollo': 1, u'quirk': 1, u'quann': 1, u'lqs': 1, u'roland': 1, u'mensajes': 1, u'electro': 1, u'espanha': 1, u'drweb': 1, u'horus': 1, u'admadm': 1, u'elle': 1, u'testx1': 1, u'raade': 1, u'naline': 1, u'carola321': 1, u'roma': 1, u'itsenter': 1, u'webadmin123': 1, u'fernandino': 1, u'rootkloots': 1, u'rademaker': 1, u'nagaratnam': 1, u'kaly': 1, u'novos': 1, u'jhengyu': 1, u'eli': 1, u'martin321': 1, u'magomago': 1, u'ela': 1, u'shutdownshutdown': 1, u'discret': 1, u'pasword': 1, u'office1': 1, u'nagasawa': 1, u'rackow': 1, u'siegfried': 1, u'nalini': 1, u'naldrett': 1, u'denisa': 1, u'dreama': 1, u'skhs': 1, u'upload321': 1, u'advanced': 1, u'postmaster321': 1, u'desire': 1, u'linux10': 1, u'guestuser': 1, u'security': 1, u'nakhoul': 1, u'devorah': 1, u'escape': 1, u'naidoo': 1, u'nakahara': 1, u'creative': 1, u'nakura': 1, u'chipei': 1, u'cori': 1, u'corp': 1, u'peer': 1, u'cory': 1, u'vanessa321': 1, u'theo123': 1, u'postgresql': 1, u'cindy123': 1, u'army': 1, u'7777777': 1, u'nafezi': 1, u'dotty': 1, u'corrine': 1, u'jiyeon': 1, u'almacen': 1, u'italtel': 1, u'diala': 1, u'amundo': 1, u'america': 1, u'tennis': 1, u'nova': 1, u'00000000': 1, u'chenyu': 1, u'schimitt': 1, u'danica': 1, u'jana': 1, u'jy': 1, u'elenor': 1, u'paypal': 1, u'ford': 1, u'radojicic': 1, u'project1': 1, u'000000': 1, u'vivi': 1, u'inside': 1, u'rabipour': 1, u'anthony321': 1, u'pgomes': 1, u'linux2': 1, u'linux3': 1, u'linux4': 1, u'vova': 1, u'linux6': 1, u'linux7': 1, u'linux9': 1, u'queppet': 1, u'nakamori': 1, u'drive': 1, u'raaen': 1, u'publico': 1, u'virtuoso123': 1, u'helga': 1, u'fille': 1, u'najm': 1, u'naji': 1, u'sjnystro': 1, u'quiroga': 1, u'humberto': 1, u'webuser': 1, u'kvl': 1, u'center': 1, u'update': 1, u'erian': 1, u'loveme': 1, u'nagarajan': 1, u'gabi123': 1, u'nahoko': 1, u'time': 1, u'belabela': 1, u'iuliana': 1, u'timo': 1, u'nagendra': 1, u'coach': 1, u'klint': 1, u'raastad': 1, u'venice': 1, u'karyn': 1, u'WinD3str0y': 1, u'quast': 1, u'gigi': 1, u'quilty': 1, u'raaflaub': 1, u'raabe': 1, u'scriptscript': 1, u'baggio': 1, u'collaudo': 1, u'3333': 1, u'yanru': 1, u'54321': 1, u'trouble': 1, u'deirdre': 1, u'steven123': 1, u'level': 1, u'nagel': 1, u'dia': 1, u'nakrem': 1, u'radiyah': 1, u'victor321': 1, u'quick': 1, u'racheal': 1, u'radley': 1, u'quero': 1, u'quincey': 1, u'horror': 1, u'system321': 1, u'crescent': 1, u'paul321': 1, u'tmp1': 1, u'sappho': 1, u'root1234': 1, u'thomas123': 1, u'mailnull123': 1, u'archive2': 1, u'nakamura': 1, u'minigee': 1, u'nagamori': 1, u'quoibion': 1, u'sanant61': 1, u'martin123': 1, u'davina': 1, u'pechantal': 1, u'virtuoso321': 1, u'dulcie': 1, u'wwang': 1, u'radjendra': 1, u'dorie': 1, u'doria': 1, u'brett321': 1, u'queue': 1, u'trial': 1, u'rabaglia': 1, u'raddie': 1, u'dorit': 1, u'stims1': 1, u'raanan': 1, u'luda': 1, u'adi123': 1, u'edi': 1, u'naismith': 1, u'nico': 1, u'quattrucci': 1, u'fbi': 1, u'parking': 1, u'market': 1, u'ariel': 1, u'anda': 1, u'nageswaran': 1, u'carmen123': 1, u'lqsym': 1, u'querton': 1, u'today': 1, u'athena': 1, u'andy123': 1, u'nagarur': 1, u'nagashima': 1, u'tanaka123': 1, u'anonftproot': 1, u'radom': 1, u'flo': 1, u'ulf': 1, u'najafi': 1, u'edna': 1, u'carlos123': 1, u'thomas321': 1, u'ironmaiden': 1, u'alecs': 1, u'edouard': 1, u'quizmaster': 1, u'naftzger': 1, u'radames': 1, u'zxcvbn': 1, u'alina123': 1, u'ght': 1, u'deva': 1, u'natural': 1, u'dagmara': 1, u'naftel': 1, u'kenvelo': 1, u'nade': 1, u'michel': 1, u'takayama': 1, u'cute': 1, u'globe': 1, u'ludacris': 1, u'webpage': 1, u'rabbi': 1, u'hippy': 1, u'quatman': 1, u'elain': 1, u'usua0011': 1, u'quoc': 1, u'rh': 1, u'sascha': 1, u'modesto123': 1, u'naggum': 1, u'sergio': 1, u'nalin': 1, u'mrblobby': 1, u'anson': 1, u'stevew': 1, u'cyrah': 1, u'larry321': 1, u'nadra': 1, u'edit': 1, u'wengrace': 1, u'suva321': 1, u'sergiu': 1, u'nadja': 1, u'kirro': 1, u'deandra': 1, u'raddy': 1, u'nina123': 1, u'deneen': 1, u'gary123': 1, u'nagammal': 1, u'quigley': 1, u'suzanne': 1, u'lai': 1, u'quesnel': 1, u'medicine': 1, u'd\\351sir\\351e': 1, u'najeeb': 1, u'eagle': 1, u'nakashian': 1, u'quita': 1, u'school123': 1, u'quark': 1, u'marina': 1, u'benahmed321': 1, u'lisah': 1, u'anne-marie': 1, u'testroot': 1, u'quemada': 1, u'british': 1, u'nakai': 1, u'vmlinuz': 1, u'quipu': 1, u'naevdal': 1, u'11111111': 1, u'rached': 1, u'dalena': 1, u'ident123': 1, u'tobias': 1, u'montreal': 1, u'fast': 1, u'dalva': 1, u'silent': 1, u'user10': 1, u'danny123': 1, u'cactiuser': 1, u'rabinovici': 1, u'rabinovich': 1, u'naegele': 1, u'quiskamp': 1, u'pizda': 1, u'88888888': 1, u'quat': 1, u'moscow': 1, u'mythtvmythtv': 1, u'nairnstruther': 1, u'nadimi': 1, u'ventura': 1, u'duscha': 1, u'russia': 1, u'stivenr2': 1, u'nagasaka': 1, u'rene': 1, u'donnica': 1, u'radelet': 1, u'dysis': 1, u'anges': 1, u'naem': 1, u'sales321': 1, u'test1test1': 1, u'gustavo': 1, u'quinney': 1, u'corissa': 1, u'cent': 1, u'phillips': 1, u'jefferson': 1, u'crysilla': 1, u'nalani': 1, u'jorge': 1, u'rade': 1, u'racicot': 1, u'beto': 1, u'jacob321': 1, u'nagawada': 1, u'dream': 1, u'ancd': 1, u'paredes321': 1, u'nadene': 1, u'corrin': 1, u'cybill': 1, u'neto': 1, u'shot': 1, u'andy321': 1, u'pecas': 1, u'xbitchx': 1, u'fifty': 1, u'elan': 1, u'daemon123': 1, u'cloudypei': 1, u'nakata': 1, u'naganuma': 1, u'nale': 1, u'smaillcisum': 1, u'nali': 1, u'delphinia': 1, u'nadig': 1, u'nalammal': 1, u'nadim': 1, u'reset': 1, u'raaum': 1, u'mailscanner': 1, u'naeming': 1, u'edward123': 1, u'nakae': 1, u'sqlmy': 1, u'dianna': 1, u'qw1er2ty3': 1, u'dianne': 1, u'naker': 1, u'demetria': 1, u'richard321': 1, u'modesto': 1, u'rabins': 1, u'vision': 1, u'skipe': 1, u'beethoven': 1, u'motono': 1, u'contab': 1, u'goblin': 1, u'danae': 1, u'nagys': 1, u'calendar': 1, u'puma': 1, u'rada': 1, u'radl': 1, u'leandro': 1, u'nakeema': 1, u'nagpal': 1, u'nahas': 1, u'nadolny': 1, u'dottie': 1, u'smallcisum': 1, u'jf': 1, u'jb': 1, u'brett123': 1, u'javier': 1, u'daria': 1, u'monk': 1, u'999999': 1, u'mana': 1, u'gregorian': 1, u'cyndy': 1, u'mails': 1, u'nahum': 1, u'pos': 1, u'pol': 1, u'nadean': 1, u'rabasse': 1, u'rabiasz': 1, u'iscan': 1, u'mare': 1, u'mara': 1, u'lorena123': 1, u'tiatia': 1, u'tech123': 1, u'mars': 1, u'script123': 1, u'andres': 1, u'rachid': 1, u'nakagiri': 1, u'astro': 1, u'eugen123': 1, u'cash': 1, u'career': 1, u'nagelalne': 1, u'elouise': 1, u'user02': 1, u'user01': 1, u'naess': 1, u'mrtg123': 1, u'william321': 1, u'archivo': 1, u'telephone': 1, u'radcliff': 1, u'unit': 1, u'recepcao': 1, u'tia123': 1, u'complainst': 1, u'par': 1, u'techtech123': 1, u'qwepoi': 1, u'gary321': 1, u'check': 1, u'dayna': 1, u'document': 1, u'1234568': 1, u'status': 1, u'aron321': 1, u'deidra': 1, u'ardei': 1, u'ness': 1, u'director': 1, u'cafea': 1, u'quee': 1, u'dan123': 1, u'nicole321': 1, u'william123': 1, u'cce': 1, u'aron123': 1, u'nah': 1, u'peace': 1, u'newsnews': 1, u'hades': 1, u'windywang': 1, u'tigerclaw': 1, u'racordon': 1, u'rosa': 1, u'pwla': 1, u'xbox': 1, u'dennae': 1, u'real': 1, u'nakano': 1, u'lukasz': 1, u'around': 1, u'cortney': 1, u'read': 1, u'cf': 1, u'nadeau': 1, u'grig': 1, u'dara': 1, u'crystle': 1, u'quartarolo': 1, u'intel': 1, u'nakahigashi': 1, u'rachael': 1, u'cam': 1, u'claw': 1, u'cisco': 1, u'delfina': 1, u'server123': 1, u'dionne': 1, u'root123': 1, u'margie': 1, u'kmc': 1, u'stims\\tstims': 1, u'toto': 1, u'sandra321': 1, u'cv': 1, u'juan123': 1, u'cynda': 1, u'larry123': 1, u'francois': 1, u'naily': 1, u'amazon123': 1, u'mervin': 1, u'naile': 1, u'username321': 1, u'ryan123': 1, u'tia321': 1, u'nagase': 1, u'atheens': 1, u'rossy': 1, u'wayne\\twayne': 1, u'iulia': 1, u'denae': 1, u'rabess': 1, u'r00t123': 1, u'nagayama': 1, u'bianca321': 1, u'dannica': 1, u'darknes': 1, u'dayana': 1, u'quinlan': 1, u'fish': 1, u'adam321': 1, u'quata': 1, u'delilah': 1, u'cynnamon': 1, u'quate': 1, u'nadereh': 1, u'debarrah': 1, u'metalib': 1, u'nalewak': 1, u'skylyn': 1, u'pula': 1, u'initrd': 1, u'nakazato': 1, u'juan321': 1, u'66666666': 1, u'nadya': 1, u'deep': 1, u'joseleno': 1, u'lichee': 1, u'babyboy': 1, u'nadeen': 1, u'daile': 1, u'dyani': 1, u'field': 1, u'nageshwar': 1, u'888888': 1, u'5555555': 1, u'effie': 1, u'desirae': 1, u'123root123': 1, u'drift': 1, u'dorisa': 1, u'dasha': 1, u'pool': 1, u'questell': 1, u'jane123': 1, u'administracion': 1, u'nakashima': 1, u'quiring': 1, u'scorpion': 1, u'corey': 1, u'edwina': 1, u'barone': 1, u'ale': 1, u'concept': 1, u'bryan123': 1, u'rachana': 1, u'ftpdata': 1, u'pdvf': 1, u'daniella': 1, u'danielle': 1, u'deka': 1, u'alberto': 1, u'praca': 1, u'donette': 1, u'queja': 1, u'uwe': 1, u'ro': 1, u'abies': 1, u'quyhn': 1, u'invitado': 1, u'nakayasu': 1, u'nahlen': 1, u'skin': 1, u'nalem': 1, u'naimi': 1, u'naima': 1, u'hawl': 1, u'gm': 1, u'aliang': 1, u'najib': 1, u'clock': 1, u'sun': 1, u'skywalker': 1, u'cosette': 1, u'edena': 1, u'riche': 1, u'upload123': 1, u'nakada': 1, u'damika': 1, u'rabold': 1, u'quelch': 1, u'putty': 1, u'dalila': 1, u'jornaloeste': 1, u'nahorniak': 1, u'nahata': 1, u'quenin': 1, u'racape': 1, u'henk': 1, u'pcesar': 1, u'radoslav': 1, u'smchoi': 1, u'fr': 1, u'miro': 1, u'eugen321': 1, u'rabon': 1, u'nalebuff': 1, u'terror': 1, u'dior': 1, u'hyperic': 1, u'radloff': 1, u'delphia': 1, u'queenie': 1, u'simon321': 1, u'naimpally': 1, u'archive3': 1, u'archive1': 1, u'dee': 1, u'quintus': 1, u'tyler\\ttyler': 1, u'ponto': 1, u'dorita': 1, u'buia': 1, u'nadine': 1, u'cyndie': 1, u'robinson': 1, u'hech': 1, u'frank321': 1, u'delanea': 1, u'vanessa123': 1, u'mexschool': 1, u'oficina': 1, u'fu': 1, u'sabina': 1, u'rudi': 1, u'racette': 1, u'adrian321': 1, u'buya': 1, u'aleb': 1, u'elspeth': 1, u'pay': 1, u'iuly': 1, u'photoshop': 1, u'burn': 1, u'lojas': 1, u'quevedo': 1, u'enemser': 1, u'nahbi': 1, u'danell': 1, u'hylafax': 1, u'beyonce': 1, u'ftptest': 1, u'nicole123': 1, u'rabzel': 1, u'www123': 1, u'dolly': 1, u'delice': 1, u'elian': 1, u'ronald123': 1, u'ocean\\tocean': 1, u'2222': 1, u'naguib': 1, u'canada': 1, u'nakamaru': 1, u'elenora': 1, u'tkallas': 1, u'david123': 1, u'cead': 1, u'denna': 1, u'corina': 1, u'77777777': 1, u'lippy': 1, u'allmighty': 1, u'monky': 1, u'racz': 1, u'ftplinux': 1, u'police': 1, u'333333': 1, u'bluez': 1, u'yoshida': 1, u'radobenko': 1, u'helena123': 1, u'desiderio': 1, u'webadmin321': 1, u'damien': 1, u'mago': 1, u'vcsa123': 1, u'nagata': 1, u'paradisse': 1, u'bash': 1, u'naina': 1, u'bill123': 1, u'paul123': 1, u'w': 1, u'555555': 1, u'donq': 1, u'dina': 1, u'diavola': 1, u'rooter': 1, u'pablo': 1, u'ichael': 1, u'guard': 1, u'stage': 1, u'magician': 1, u'edina': 1, u'darrion': 1, u'script': 1, u'deanne': 1, u'edda': 1, u'deanna': 1, u'naini': 1, u'paint': 1, u'weblogic': 1, u'99999999': 1, u'mama': 1, u'dacey': 1, u'vasile': 1, u'adonis': 1, u'tivo': 1, u'part': 1, u'zeppelin': 1, u'word': 1, u'ART': 1, u'b': 1, u'hp123': 1, u'ellyn': 1, u'pdvbambui': 1, u'genesis': 1, u'edwana': 1, u'dani': 1, u'ellena': 1, u'listen': 1, u'raby': 1, u'gianluca': 1, u'ben321': 1, u'spress': 1, u'nafziger': 1, u'null': 1, u'puxiaolong': 1, u'theodor': 1, u'lia': 1, u'nighty': 1, u'umbra': 1, u'miau': 1, u'maison': 1, u'rabu': 1, u'racing': 1, u'zeus': 1, u'copie': 1, u'me': 1, u'wwwweb': 1, u'ne': 1, u'ellouise': 1, u'ofni': 1, u'raak': 1, u'deana': 1, u'raan': 1, u'gaby': 1, u'raab': 1, u'deann': 1, u'raad': 1, u'raaf': 1, u'2222222': 1, u'kalya': 1, u'gabi': 1, u'rabeca': 1, u'nagomi': 1, u'rachal': 1, u'taller': 1, u'nadal': 1, u'sorin': 1, u'queb': 1, u'quek': 1, u'nagakusa': 1, u'quen': 1, u'cesar123': 1, u'seller': 1, u'44444444': 1, u'hotmail': 1, u'publicity': 1, u'camilio': 1, u'nakazawa': 1, u'reading': 1, u'tomcat123': 1, u'emails': 1, u'boavista': 1, u'admin02': 1, u'ellora': 1, u'bryan321': 1, u'quintard': 1, u'kill': 1, u'root123456': 1, u'nakatsukasa': 1, u'art': 1, u'rachele': 1, u'alina': 1, u'doireann': 1, u'devorit': 1, u'jeffy': 1, u'nakken': 1, u'nagarethnam': 1, u'seanpaul': 1, u'quintana': 1, u'ritt': 1, u'qvale': 1, u'rachida': 1, u'asoto': 1, u'minigeee': 1, u'jasmin': 1, u'aurelia': 1, u'nakagawa': 1, u'raczko': 1, u'ben123': 1, u'quevy': 1, u'nagenthiram': 1, u'luiz': 1, u'matt321': 1, u'nakagome': 1, u'pedro': 1, u'edythe': 1, u'eliora': 1, u'protector': 1, u'trocasenha': 1, u'delila': 1, u'alexandru': 1, u'darlene': 1, u'jairo': 1, u'quraisha': 1, u'cpanelcpanel': 1, u'nader': 1, u'pqsql': 1, u'quirina': 1, u'creata': 1, u'naiman': 1, u'xam': 1, u'nafsiah': 1, u'mp3mp3': 1, u'quintey': 1, u'fire': 1, u'extsup': 1, u'simon123': 1, u'arcadia': 1, u'bitchx': 1, u'eleonor': 1, u'rosu': 1, u'racanelli': 1, u'satelit': 1, u'rachafi123': 1, u'skype': 1, u'mathew': 1, u'rabi': 1, u'dibalo': 1, u'carlos321': 1, u'rishi': 1, u'nakad': 1, u'adminroot': 1, u'nagesh': 1, u'century': 1, u'quist': 1, u'queyrel': 1, u'almacen123': 1, u'rachafi321': 1, u'eliana': 1, u'eliane': 1, u'fedora': 1, u'francaise': 1, u'rachmeler': 1, u'vendas': 1, u'sorinel': 1, u'nahrendorf': 1, u'33333': 1, u'mysql123': 1, u'moment': 1, u'rabie': 1, u'yuan': 1, u'rabin': 1, u'123root321': 1, u'lamerek': 1, u'nafisah': 1, u'campdoug': 1, u'corinna': 1, u'crispin': 1, u'earlene': 1, u'leone': 1, u'salva': 1, u'spamassassin': 1, u'jayz': 1, u'quinlisk': 1, u'rabenstein': 1, u'project4': 1, u'paco': 1, u'project3': 1, u'project2': 1, u'globin': 1, u'melinda': 1, u'yoshida123': 1, u'testest': 1, u'fcobid20': 1, u'butoi': 1, u'jerom': 1, u'game123': 1, u'marck': 1, u'landscape': 1, u'quy': 1, u'armany': 1, u'nadezhda': 1, u'game': 1, u'gama': 1, u'bash321': 1, u'syntax': 1, u'webmail': 1, u'nakanishi': 1, u'd': 1, u'nakatsu': 1, u'steven321': 1, u'kenneth': 1, u'mexi': 1, u'rootest': 1, u'marias': 1, u'iuli': 1, u'user9': 1, u'fionahsu': 1, u'queromes': 1, u'rabolli': 1, u'petitto': 1, u'quatier': 1, u'lars': 1, u'debra': 1, u'danya': 1, u'xfs123': 1, u's11': 1, u'22222': 1, u'jeeto': 1, u'usd': 1, u'nahmias': 1, u'quercia': 1, u'raider': 1, u'albert123': 1, u'rabinowitz': 1, u'nsuser': 1, u'sua': 1, u'johny': 1, u'rachelle': 1, u'kat': 1, u'elvira': 1, u'tads': 1, u'damita': 1, u'pdvpr': 1, u'geta': 1, u'elke': 1, u'direccion': 1, u'andrew321': 1, u'corie': 1, u'andy': 1, u'ricky321': 1, u'server1': 1, u'viena': 1, u'maxmax': 1, u'simbol': 1, u'lina': 1, u'paolo': 1, u'stephen123': 1, u'nadarajan': 1, u'clamav321': 1, u'administrador': 1, u'politia': 1, u'delyssa': 1, u'politie': 1, u'alumno': 1, u'user6': 1, u'user7': 1, u'v': 1, u'chad': 1, u'rabecs': 1, u'naissance': 1, u'user8': 1, u'raae': 1, u'bash123': 1, u'elayna': 1, u'elda': 1, u'elayne': 1, u'caracas': 1, u'nad': 1, u'nae': 1, u'nak': 1, u'nai': 1, u'grzegorzg': 1, u'username123': 1, u'codec': 1, u'nagle': 1, u'damenna': 1, u'accept': 1, u'nice': 1, u'dale': 1, u'clamav123': 1, u'papa': 1, u'pgsql123': 1, u'pysco123': 1, u'bela123': 1, u'e': 1, u'beaulaptic': 1, u'edo': 1, u'kati': 1, u'peggy\\tpeggy': 1, u'luxembourg': 1, u'queiroz': 1, u'hydesun': 1, u'trixbox1': 1, u'lindner': 1, u'eloise': 1, u'dandan': 1, u'tpcjul': 1, u'nagara': 1, u'annmarie': 1, u'quayle': 1, u'nacionales': 1, u'nairi': 1, u'nairn': 1, u'eldora': 1, u'rack': 1, u'rach': 1, u'dagmar': 1, u'bestrella': 1, u'paulinha': 1, u'camilo': 1, u'quintilla': 1, u'radon': 1, u'carlo': 1, u'www-ssl': 1, u'multimedia': 1, u'quillan': 1, u'ginny': 1, u'oksan': 1, u'rabarisoanaivo': 1, u'cindy321': 1, u'norris': 1, u'corin': 1, u'nakagaki': 1, u'garcon': 1, u'olivier': 1, u'maker': 1, u'linux5': 1, u'4444444': 1, u'paradise': 1, u'comsat': 1, u'sgm': 1, u'denice': 1, u'andreas': 1, u'postmaster123': 1, u'naggiar': 1, u'sevilla': 1, u'baba': 1, u'payne': 1, u'liyiduo': 1, u'francais': 1, u'babty': 1, u'sori': 1, u'devona': 1, u'f': 1, u'erwin': 1, u'naric': 1, u'root321': 1, u'radcliffe': 1, u'slib': 1, u'rabadi': 1, u'james123': 1, u'nahomi': 1, u'quenzer': 1, u'querida': 1, u'querido': 1, u'soccer': 1, u'ccardenas': 1, u'uchat': 1, u'naharudin': 1, u'takayama123': 1, u'ellema': 1, u'frag': 1, u'dulce': 1, u'express': 1, u'crina': 1, u'zandrawi': 1, u'nagoor': 1, u'blackhat': 1, u'warez': 1, u'quisling': 1, u'elspet': 1, u'gabi321': 1, u'derica': 1, u'fary': 1, u'linjian': 1, u'catty': 1, u'emanuel': 1, u'amazon321': 1, u'furious': 1, u'dafny': 1, u'british123': 1, u'kelly321': 1, u'guest10': 1, u'demmo': 1, u'rolf': 1, u'pa$$w0rd': 1, u'nakakubo': 1, u'Trash-0': 1, u'bobyn': 1, u'linux8': 1, u'rabe': 1, u'nakayama': 1, u'nakamoto': 1, u'najera': 1, u'nadi': 1, u'frank123': 1, u'nokia': 1, u'dai': 1, u'9999999': 1, u'nadrau': 1, u'nady': 1, u'souza': 1, u'raddatz': 1, u'najma': 1, u'uucpuucp': 1, u'victor123': 1, u'carlo123': 1, u'bluetulippon': 1, u'edie': 1, u'quixote': 1, u'dixie': 1, u'nagi': 1, u'dorcy': 1, u'gary': 1, u'frequency': 1, u'quiescent': 1, u'dorci': 1, u'nafeesah': 1, u'house': 1, u'supporte': 1, u'dania': 1, u'naeem': 1, u'adminweb': 1, u'benahmed123': 1, u'deposito': 1, u'danii': 1, u'rabinovitz': 1, u'que': 1, u'x': 1, u'qui': 1, u'matrita': 1, u'aaa': 1, u'raber': 1, u'max321': 1, u'kiss': 1, u'quickert': 1, u'nafsika': 1, u'mp3123': 1, u'444444': 1, u'davis': 1, u'raben': 1, u'stuck': 1, u'cristian': 1, u'exam': 1, u'elyse': 1, u'quivy': 1, u'rabatich': 1, u'aurelio': 1, u'quiclet': 1, u'radec': 1, u'rabilloud': 1, u'radek': 1, u'kateroselmau': 1, u'radecki': 1, u'stephen321': 1, u'ahile': 1, u'boobs': 1, u'nitro': 1, u'academy': 1, u'school21': 1, u'mysqladmin': 1, u'elita': 1, u'alias123': 1, u'elite': 1, u'udo': 1, u'nakina': 1, u'newuser': 1, u'lion': 1, u'bed': 1, u'777777': 1, u'jackjack': 1, u'qweasd': 1, u'yoshida321': 1, u'francum': 1, u'daliah': 1, u'estrelita': 1, u'souzasite': 1, u'nakhla': 1, u'nahid': 1, u'hippie': 1, u'st': 1, u'sel': 1, u'qazxsw': 1, u'ricky123': 1, u'dodie': 1, u'homebox': 1, u'querenet': 1, u'321': 1, u'Horizon': 1, u'deena': 1, u'iacob': 1, u'volume': 1, u'nicholson': 1, u'yssor': 1, u'suga': 1, u'dena': 1, u'dausy': 1, u'francisc': 1, u'elie': 1, u'admin12345': 1, u'hisato': 1, u'remus': 1, u'luiza': 1, u'nagy': 1, u'mue': 1, u'ha': 1, u'elfa': 1, u'thorsten': 1, u'bianca123': 1, u'cristelle': 1, u'abba': 1, u'joint': 1, u'diandra': 1, u'wnpn': 1, u'abby': 1, u'michael123': 1, u'evolution': 1, u'sara123': 1, u'qw': 1, u'qv': 1, u'qz': 1, u'lala': 1, u'nagaraj': 1, u'pirate': 1, u'default': 1, u'queries': 1, u'vis': 1, u'quintenz': 1, u'marcela': 1, u'webdesign': 1, u'warezz': 1, u'sqlpostgres': 1, u'55555555': 1, u'covad': 1, u'root12345': 1, u'fluffy123': 1, u'eleonara': 1, u'king123': 1, u'naito': 1, u'joc': 1, u'naftaly': 1, u'kalia': 1, u'boss': 1, u'bela321': 1, u'swen': 1, u'00000': 1, u'alin123': 1, u'najdzin': 1, u'aqua': 1, u'3333333': 1, u'quijano': 1, u'gamegame': 1, u'eto': 1, u'quintina': 1, u'ch': 1, u'itcenter': 1, u'carola123': 1, u'quilico': 1, u'cs': 1, u'rossyrossy': 1, u'deniz': 1, u'home3': 1, u'powered': 1, u'quent': 1, u'rabitoy': 1, u'MOTOS': 1, u'james321': 1, u'benhall': 1, u'skjhs': 1, u'quartararo': 1, u'tst': 1, u'cypher': 1, u'fotos': 1, u'foryou': 1, u'pdv': 1, u'jenni': 1, u'xlon': 1, u'nero': 1, u'helper': 1, u'qpwoeiru': 1, u'quirarte': 1, u'demi': 1, u'vp': 1, u'radke': 1, u'acer': 1, u'6666666': 1, u'mailnull321': 1, u'nakatsuka': 1, u'benahmed': 1, u'digital': 1, u'devora': 1, u'nada': 1, u'wulei': 1, u'quynh': 1, u'logic': 1, u'romeo': 1, u'beast': 1, u'danette': 1, u'suzi': 1, u'daniel321': 1, u'paredes': 1, u'nadz': 1, u'dinah': 1, u'tyni': 1, u'snmp': 1, u'tyny': 1, u'modesto321': 1, u'nagapp': 1, u'cristy': 1, u'virtual': 1, u'roza': 1, u'diedre': 1, u'nadav': 1, u'rossy321': 1, u'webapps': 1, u'nagloo': 1, u'jars': 1, u'bela': 1, u'kali': 1, u'flood': 1, u'techtech': 1, u'bettina': 1, u'desi': 1, u'coreen': 1, u'quinhon': 1, u'thebeast': 1, u'name': 1, u'nagell': 1, u'rabben': 1, u'najmi': 1, u'payments': 1, u'milma': 1, u'georgel': 1, u'conrad': 1, u'dragostea': 1, u'pessoal': 1, u'cyanne': 1, u'leon123': 1, u'nahriah': 1, u'radominski': 1, u'nagao': 1, u'nagai': 1, u'home': 1, u'daron': 1, u'jacob123': 1, u'radosky': 1, u'est': 1, u'nadon': 1, u'denali': 1, u'rabjohn': 1, u'richard123': 1, u'sarasara': 1, u'kevin321': 1, u'raisa': 1, u'max123': 1, u'dcc': 1, u'christopher\\tchristopher': 1, u'ashiou': 1, u'b1ablo': 1, u'world': 1, u'quintos': 1, u'nadaud': 1, u'concept123': 1, u'daniel123': 1, u'qureshi': 1, u'damica': 1, u'system123': 1, u'quintin': 1, u'sistem': 1, u'dorean': 1, u'dores': 1, u'daviana': 1, u'dulcea': 1, u'bthadm': 1, u'mikey': 1, u'suva123': 1, u'topaz': 1, u'rcp': 1, u'rabah': 1, u'radaza': 1, u'plcmspip': 1, u'var': 1, u'liduvalis': 1, u'elata': 1, u'ghost': 1, u'buy': 1, u'josephine': 1, u'nadel': 1, u'1test': 1, u'1111111': 1, u'davida': 1, u'quarterman': 1, u'bug': 1, u'bestrella123': 1, u'natalia': 1, u'rachafi': 1, u'po': 1, u'patrick123': 1, u'quinonez': 1, u'quenot': 1, u'quinones': 1, u'display': 1, u'liudongfeng': 1, u'cordell': 1, u'emanuelle': 1, u'nadege': 1, u'nagano': 1, u'universal': 1, u'html': 1, u'iverson': 1, u'pix': 1, u'tsaihsiuming': 1, u'0000': 1, u'raanaas': 1, u'whiteangel': 1, u'antena': 1, u'bashbash': 1, u'nadir': 1, u'dyanne': 1, u'quartz': 1, u'takayama321': 1, u'messagebus': 1, u'whois': 1, u'radko': 1, u'friends': 1, u'debian': 1, u'phpl': 1, u'shutdown123': 1, u'samsung': 1, u'matriz': 1, u'elaina': 1, u'rauleli': 1, u'elsie': 1, u'philipe': 1, u'simpson': 1})
In [321]:
counts = Counter(names).most_common(10)
counts
Out[321]:
[(u'admin', 447),
 (u'test', 282),
 (u'administrator', 155),
 (u'123456', 154),
 (u'12345', 137),
 (u'123', 133),
 (u'user', 132),
 (u'qwerty', 124),
 (u'oracle', 124),
 (u'1234', 117)]

What where the most common failed account names?

In [322]:
index = []
data = []
for k,v in counts:
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
figure(num=None, figsize=(9, 8), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh")
Out[322]:
<matplotlib.axes.AxesSubplot at 0x106df55d0>
In [323]:
#ts[-1].plot(kind='barh', figsize=(9,8))
least = Counter(names).most_common()[-10:]
index = []
data = []
for k,v in least:
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
figure(num=None, figsize=(9, 9), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh")
Out[323]:
<matplotlib.axes.AxesSubplot at 0x1068caad0>

What ip address is creating the most failed logins?

In [324]:
Counter(addys)
Out[324]:
Counter({u'219.150.161.20': 7574, u'8.12.45.242': 2842, u'222.66.204.246': 1063, u'124.207.117.9': 522, u'222.169.224.197': 457, u'217.15.55.133': 382, u'211.154.254.248': 345, u'65.208.122.48': 300, u'122.226.202.12': 185, u'124.51.108.68': 154, u'210.68.70.170': 135, u'24.192.113.91': 135, u'173.9.147.165': 96, u'125.235.4.130': 85, u'116.6.19.70': 60, u'201.64.234.2': 48, u'114.80.166.219': 23, u'61.168.227.12': 20, u'58.17.30.49': 17, u'59.46.39.148': 9, u'121.11.66.70': 6, u'218.56.61.114': 6, u'122.165.9.200': 5, u'24.94.90.96': 3, u'83.216.63.124': 2, u'220.170.79.247': 2, u'203.81.226.86': 1, u'190.166.87.164': 1})
In [325]:
counts = Counter(addys)
index = []
data = []
for k,v in counts.iteritems():
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
figure(num=None, figsize=(9, 9), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh")
Out[325]:
<matplotlib.axes.AxesSubplot at 0x10a0c6d10>

What are the ip addresses that login attempts where made to an invalid user?

In [326]:
hh=[]
for line in invalids:
    hh.append(line.split("from ")[1])
counts = Counter(hh)
index = []
data = []
for k,v in counts.iteritems():
    index.append(k)
    data.append(v)
ts = pd.TimeSeries(data, index)
In [327]:
figure(num=None, figsize=(9, 9), dpi=80, facecolor='w', edgecolor='k')
ts.plot(kind="barh")
Out[327]:
<matplotlib.axes.AxesSubplot at 0x1068c7110>
In [328]:
for k,v in zip(index, data):
    if k in overview_collection:
        values = overview_collection[k]
        if "failed_logins_invalid_user_list" not in values:
            overview_collection[k].append(("failed_logins_invalid_user_list",v))

overview_collection['219.150.161.20']
Out[328]:
[('sucessful_logins_ip_address_list', 4),
 ('failed_logins_ip_address_list', 1560),
 ('failed_logins_invalid_user_list', 7574)]

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

Suspicious IP address please investigate

In [358]:
suspicious_ip = {}

for k in overview_collection.keys():
    if len(overview_collection[k]) == 3:
        suspicious_ip[k] = overview_collection[k]
        print "Suspicious IP address: ", k
        print "****************************************"
        for values in overview_collection[k]:
            for details in values:
                print details
        print
        print
Suspicious IP address:  121.11.66.70
****************************************
sucessful_logins_ip_address_list
2
failed_logins_ip_address_list
1429
failed_logins_invalid_user_list
6


Suspicious IP address:  61.168.227.12
****************************************
sucessful_logins_ip_address_list
1
failed_logins_ip_address_list
193
failed_logins_invalid_user_list
20


Suspicious IP address:  122.226.202.12
****************************************
sucessful_logins_ip_address_list
2
failed_logins_ip_address_list
313
failed_logins_invalid_user_list
185


Suspicious IP address:  222.169.224.197
****************************************
sucessful_logins_ip_address_list
1
failed_logins_ip_address_list
179
failed_logins_invalid_user_list
457


Suspicious IP address:  222.66.204.246
****************************************
sucessful_logins_ip_address_list
1
failed_logins_ip_address_list
508
failed_logins_invalid_user_list
1063


Suspicious IP address:  219.150.161.20
****************************************
sucessful_logins_ip_address_list
4
failed_logins_ip_address_list
1560
failed_logins_invalid_user_list
7574


In [385]:
#suspect_test = overview_collection['58.17.30.49']
suspicious_ip.keys()
Out[385]:
[u'122.226.202.12',
 u'61.168.227.12',
 u'222.66.204.246',
 u'222.169.224.197',
 u'219.150.161.20',
 u'121.11.66.70']
In [396]:
success_score = []
failed_score = []
invalid_score = []
for line in suspicious_ip.iteritems():
    success_score.append(line[1][0][1])
    failed_score.append(line[1][1][1])
    invalid_score.append(line[1][2][1])
In [420]:
#!/usr/bin/env python
# a bar plot with errorbars
import numpy as np
import matplotlib.pyplot as plt

N = 6

# iterate collection pull out values for each
#success_score = (20, 35, 30, 35, 27, 11)
success_score2 =   (2, 3, 4, 1, 2, 4)

ind = np.arange(N)  # the x locations for the groups
width = 0.40     # the width of the bars

fig, ax = plt.subplots(figsize=(8, 12), dpi=80)
rects1 = ax.bar(ind, success_score, width, color='g', yerr=success_score2)

#failed_score = (25, 32, 34, 20, 25, 4)
failed_score2 =   (3, 5, 2, 3, 3, 2)
rects2 = ax.bar(ind+width, failed_score, width, color='b', yerr=failed_score2)


#invalid_score = (5, 30, 24, 10, 15, 11)
invalid_score2 =   (3, 5, 2, 3, 3, 1)
rects3 = ax.bar(ind+width, invalid_score, width, color='r', yerr=invalid_score2)

# add some
ax.set_ylabel('Scores')
ax.set_title('Suspicious IP Addresses')
ax.set_xticks(ind+width)
ax.set_xticklabels( suspicious_ip.keys(), rotation=60 ) # size='medium'

ax.legend( (rects1[1], rects2[1], rects3[1]), ('Success', 'Fail', 'Invalid') )

def autolabel(rects):
    # attach some text labels
    for rect in rects:
        height = rect.get_height()
        ax.text(rect.get_x()+rect.get_width()/2., 1.05*height, '%d'%int(height),
                ha='center', va='bottom')

autolabel(rects1)
autolabel(rects2)
autolabel(rects3)

#figure(num=None, figsize=(12, 12), dpi=80, facecolor='w', edgecolor='k')
#pylab.rcParams['figure.figsize'] = (5.0, 10.0)

plt.show()
In [331]:
#from mpl_toolkits.basemap import Basemap
#import matplotlib.cm as cm
In [332]:
user1_failed = []
for line in ee:
    if "user1" in line:
        user1_failed.append(line)
In [333]:
#e2 = e.filter(lambda x: "sudo:auth" in x)
#e2
In [334]:
failed_logins_user_list = [line.split("Accepted password for ")[1].split(" from")[0] for line in a]
In [335]:
service_failure = logs.filter(lambda x: "fail" in x)
service_failure.count()
Out[335]:
20550
In [336]:
f = service_failure.collect()
In [337]:
f[0:10]
Out[337]:
[u'Mar 16 08:25:22 app-1 sshd[4884]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.',
 u'Mar 18 09:41:44 app-1 sshd[4621]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.',
 u'Mar 18 09:41:54 app-1 login[4673]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=tty1 ruser= rhost= ',
 u'Mar 18 09:48:55 app-1 sshd[4597]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.',
 u'Mar 18 09:50:24 app-1 sshd[4583]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.',
 u'Mar 18 09:54:26 app-1 sshd[4614]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.',
 u'Mar 18 09:56:52 app-1 sshd[4754]: error: Bind to port 22 on 0.0.0.0 failed: Address already in use.',
 u'Mar 18 11:20:17 app-1 su[9504]: pam_unix(su:auth): authentication failure; logname=user1 uid=1001 euid=0 tty=pts/0 ruser=user1 rhost=  user=root',
 u'Mar 18 11:20:19 app-1 su[9504]: pam_authenticate: Authentication failure',
 u'Mar 18 11:20:24 app-1 su[9506]: pam_unix(su:auth): authentication failure; logname=user1 uid=1001 euid=0 tty=pts/0 ruser=user1 rhost=  user=root']
In [338]:
user_logoff = logs.filter(lambda x: "session closed" in x)
user_logoff.count()
Out[338]:
15397
In [339]:
g = user_logoff.collect()
g[0:10]
Out[339]:
[u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 08:17:01 app-1 CRON[4716]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 08:27:37 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 09:17:01 app-1 CRON[5085]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 10:14:10 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 10:17:01 app-1 CRON[5184]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 10:39:54 app-1 su[4913]: pam_unix(su:session): session closed for user root',
 u'Mar 16 10:39:55 app-1 sshd[4896]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 16 11:17:01 app-1 CRON[5234]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 12:17:01 app-1 CRON[5273]: pam_unix(cron:session): session closed for user root']
In [340]:
gg = []
for line in g:
    if "pam_unix(sshd:session): session closed for user " in line:
        gg.append(line)
gg
Out[340]:
[u'Mar 16 10:39:55 app-1 sshd[4896]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 16 16:00:04 app-1 sshd[5144]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 18 11:40:29 app-1 sshd[10179]: pam_unix(sshd:session): session closed for user user2',
 u'Mar 18 11:41:38 app-1 sshd[10202]: pam_unix(sshd:session): session closed for user user2',
 u'Mar 18 11:59:43 app-1 sshd[10335]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 18 13:57:46 app-1 sshd[4766]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 18 16:25:26 app-1 sshd[10255]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 18 17:29:22 app-1 sshd[10296]: pam_unix(sshd:session): session closed for user user2',
 u'Mar 18 18:30:24 app-1 sshd[14395]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 23 12:12:11 app-1 sshd[6030]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 23 14:13:06 app-1 sshd[6353]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 23 14:13:21 app-1 sshd[6268]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 23 14:29:08 app-1 sshd[6629]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 24 00:18:22 app-1 sshd[7226]: pam_unix(sshd:session): session closed for user user2',
 u'Mar 24 17:39:59 app-1 sshd[15439]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 24 20:13:45 app-1 sshd[7479]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 24 21:16:27 app-1 sshd[17918]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 24 21:20:07 app-1 sshd[17970]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 26 17:11:10 app-1 sshd[9600]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 28 16:31:51 app-1 sshd[5307]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 29 13:24:44 app-1 sshd[21496]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 29 21:44:53 app-1 sshd[21428]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 29 23:52:53 app-1 sshd[26257]: pam_unix(sshd:session): session closed for user user1',
 u'Mar 30 15:15:14 app-1 sshd[17130]: pam_unix(sshd:session): session closed for user user3',
 u'Mar 30 20:36:16 app-1 sshd[28895]: pam_unix(sshd:session): session closed for user user1',
 u'Apr  1 13:35:02 app-1 sshd[4170]: pam_unix(sshd:session): session closed for user user1',
 u'Apr  1 21:16:01 app-1 sshd[6686]: pam_unix(sshd:session): session closed for user user1',
 u'Apr  2 08:11:50 app-1 sshd[10341]: pam_unix(sshd:session): session closed for user user1',
 u'Apr  2 10:11:37 app-1 sshd[5003]: pam_unix(sshd:session): session closed for user user3',
 u'Apr  2 12:42:56 app-1 sshd[12536]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 14 18:47:26 app-1 sshd[5740]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 14 19:40:08 app-1 sshd[5818]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 15 15:27:00 app-1 sshd[9420]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 15 17:43:20 app-1 sshd[10176]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 15 17:57:14 app-1 sshd[10124]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 15 22:29:10 app-1 sshd[12232]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 15 22:59:11 app-1 sshd[12815]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 15 22:59:18 app-1 sshd[12689]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 16 09:38:29 app-1 sshd[15292]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 18 18:07:37 app-1 sshd[5154]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 18 18:10:26 app-1 sshd[5175]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 18 20:30:10 app-1 sshd[5304]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 18 21:32:02 app-1 sshd[5616]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 18 21:52:04 app-1 sshd[5838]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 18 21:53:58 app-1 sshd[5858]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 19 09:59:31 app-1 sshd[27145]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 19 12:10:52 app-1 sshd[27165]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 19 12:13:55 app-1 sshd[30839]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 19 14:47:20 app-1 sshd[32635]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 19 17:12:22 app-1 sshd[28286]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 19 17:27:41 app-1 sshd[894]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 19 17:28:13 app-1 sshd[952]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 19 23:34:39 app-1 sshd[2072]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 00:26:52 app-1 sshd[24442]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 00:36:55 app-1 sshd[2379]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 00:55:36 app-1 sshd[24807]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 07:22:04 app-1 sshd[29998]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 07:22:04 app-1 sshd[26696]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 07:22:04 app-1 sshd[29552]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 11:15:43 app-1 sshd[30618]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 12:15:52 app-1 sshd[30800]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 12:18:57 app-1 sshd[30822]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 12:32:17 app-1 sshd[30898]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 12:32:56 app-1 sshd[30894]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 19:54:29 app-1 sshd[32212]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 19:55:42 app-1 sshd[32198]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 21:52:26 app-1 sshd[32582]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 20 21:53:04 app-1 sshd[32613]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 21 08:08:31 app-1 sshd[1887]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 21 08:58:08 app-1 sshd[1160]: pam_unix(sshd:session): session closed for user user3',
 u'Apr 21 17:32:37 app-1 sshd[3587]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 21 17:36:52 app-1 sshd[3544]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 21 18:26:46 app-1 sshd[3749]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 22 11:10:21 app-1 sshd[7445]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 22 12:32:58 app-1 sshd[7711]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 22 14:01:28 app-1 sshd[8496]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 22 15:26:42 app-1 sshd[10198]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 22 15:29:51 app-1 sshd[9830]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 23 13:49:15 app-1 sshd[15559]: pam_unix(sshd:session): session closed for user user1',
 u'Apr 24 19:11:23 app-1 sshd[32213]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 24 20:23:55 app-1 sshd[5766]: pam_unix(sshd:session): session closed for user dhg',
 u'Apr 26 09:57:21 app-1 sshd[23970]: pam_unix(sshd:session): session closed for user user1']

Who has changed their passwords?

In [341]:
password_changed = logs.filter(lambda x: "password changed" in x)
pc = password_changed.collect()
pc
Out[341]:
[u'Mar 16 08:12:17 app-1 passwd[4695]: pam_unix(passwd:chauthtok): password changed for user4',
 u'Mar 16 08:12:44 app-1 passwd[4706]: pam_unix(passwd:chauthtok): password changed for user1',
 u'Mar 16 08:13:00 app-1 passwd[4714]: pam_unix(passwd:chauthtok): password changed for user2',
 u'Mar 18 10:00:06 app-1 passwd[4763]: pam_unix(passwd:chauthtok): password changed for user1',
 u'Mar 18 11:39:40 app-1 passwd[10178]: pam_unix(passwd:chauthtok): password changed for user2',
 u'Mar 29 13:27:22 app-1 passwd[21555]: pam_unix(passwd:chauthtok): password changed for root',
 u'Apr 19 11:04:01 app-1 passwd[30283]: pam_unix(passwd:chauthtok): password changed for root',
 u'Apr 19 22:38:09 app-1 passwd[2020]: pam_unix(passwd:chauthtok): password changed for packet',
 u'Apr 19 22:45:23 app-1 passwd[2056]: pam_unix(passwd:chauthtok): password changed for dhg',
 u'Apr 25 10:43:24 app-1 passwd[9864]: pam_unix(passwd:chauthtok): password changed for fido',
 u'Apr 26 04:43:31 app-1 passwd[20119]: pam_unix(passwd:chauthtok): password changed for wind3str0y']

What does this look like in a time series, timeOfDay, days, weeks, months?

In [342]:
h[0:10]
Out[342]:
[u'Mar 16 08:12:17 app-1 passwd[4695]: pam_unix(passwd:chauthtok): password changed for user4',
 u'Mar 16 08:12:44 app-1 passwd[4706]: pam_unix(passwd:chauthtok): password changed for user1',
 u'Mar 16 08:13:00 app-1 passwd[4714]: pam_unix(passwd:chauthtok): password changed for user2',
 u'Mar 18 10:00:06 app-1 passwd[4763]: pam_unix(passwd:chauthtok): password changed for user1',
 u'Mar 18 11:39:40 app-1 passwd[10178]: pam_unix(passwd:chauthtok): password changed for user2',
 u'Mar 29 13:27:22 app-1 passwd[21555]: pam_unix(passwd:chauthtok): password changed for root',
 u'Apr 19 11:04:01 app-1 passwd[30283]: pam_unix(passwd:chauthtok): password changed for root',
 u'Apr 19 22:38:09 app-1 passwd[2020]: pam_unix(passwd:chauthtok): password changed for packet',
 u'Apr 19 22:45:23 app-1 passwd[2056]: pam_unix(passwd:chauthtok): password changed for dhg',
 u'Apr 25 10:43:24 app-1 passwd[9864]: pam_unix(passwd:chauthtok): password changed for fido']

What new users were added to the box?

In [343]:
new_user  = logs.filter(lambda x: "new user" in x)
i = new_user.collect()
i
Out[343]:
[u'Mar 16 08:12:13 app-1 useradd[4692]: new user: name=user4, UID=1001, GID=1001, home=/home/user4, shell=/bin/bash',
 u'Mar 16 08:12:38 app-1 useradd[4703]: new user: name=user1, UID=1001, GID=1001, home=/home/user1, shell=/bin/bash',
 u'Mar 16 08:12:55 app-1 useradd[4711]: new user: name=user2, UID=1002, GID=1002, home=/home/user2, shell=/bin/bash',
 u'Mar 16 08:25:22 app-1 useradd[4845]: new user: name=sshd, UID=104, GID=65534, home=/var/run/sshd, shell=/usr/sbin/nologin',
 u'Mar 18 10:15:42 app-1 useradd[5393]: new user: name=Debian-exim, UID=105, GID=114, home=/var/spool/exim4, shell=/bin/false',
 u'Mar 18 10:18:26 app-1 useradd[6966]: new user: name=mysql, UID=106, GID=115, home=/var/lib/mysql, shell=/bin/false',
 u'Apr 19 22:38:00 app-1 useradd[2019]: new user: name=packet, UID=0, GID=0, home=/home/packet, shell=/bin/sh',
 u'Apr 19 22:45:13 app-1 useradd[2053]: new user: name=dhg, UID=1003, GID=1003, home=/home/dhg, shell=/bin/bash',
 u'Apr 24 19:27:35 app-1 useradd[1386]: new user: name=messagebus, UID=108, GID=117, home=/var/run/dbus, shell=/bin/false',
 u'Apr 25 10:41:44 app-1 useradd[9596]: new user: name=fido, UID=0, GID=1004, home=/home/fido, shell=/bin/sh',
 u'Apr 26 04:43:15 app-1 useradd[20115]: new user: name=wind3str0y, UID=1004, GID=1005, home=/home/wind3str0y, shell=/bin/bash']
In [343]:
 
In [344]:
i
Out[344]:
[u'Mar 16 08:12:13 app-1 useradd[4692]: new user: name=user4, UID=1001, GID=1001, home=/home/user4, shell=/bin/bash',
 u'Mar 16 08:12:38 app-1 useradd[4703]: new user: name=user1, UID=1001, GID=1001, home=/home/user1, shell=/bin/bash',
 u'Mar 16 08:12:55 app-1 useradd[4711]: new user: name=user2, UID=1002, GID=1002, home=/home/user2, shell=/bin/bash',
 u'Mar 16 08:25:22 app-1 useradd[4845]: new user: name=sshd, UID=104, GID=65534, home=/var/run/sshd, shell=/usr/sbin/nologin',
 u'Mar 18 10:15:42 app-1 useradd[5393]: new user: name=Debian-exim, UID=105, GID=114, home=/var/spool/exim4, shell=/bin/false',
 u'Mar 18 10:18:26 app-1 useradd[6966]: new user: name=mysql, UID=106, GID=115, home=/var/lib/mysql, shell=/bin/false',
 u'Apr 19 22:38:00 app-1 useradd[2019]: new user: name=packet, UID=0, GID=0, home=/home/packet, shell=/bin/sh',
 u'Apr 19 22:45:13 app-1 useradd[2053]: new user: name=dhg, UID=1003, GID=1003, home=/home/dhg, shell=/bin/bash',
 u'Apr 24 19:27:35 app-1 useradd[1386]: new user: name=messagebus, UID=108, GID=117, home=/var/run/dbus, shell=/bin/false',
 u'Apr 25 10:41:44 app-1 useradd[9596]: new user: name=fido, UID=0, GID=1004, home=/home/fido, shell=/bin/sh',
 u'Apr 26 04:43:15 app-1 useradd[20115]: new user: name=wind3str0y, UID=1004, GID=1005, home=/home/wind3str0y, shell=/bin/bash']
In [345]:
failed_password  = logs.filter(lambda x: "Failed password" in x)
failed_password.count()
Out[345]:
20338
In [346]:
j = failed_password.collect()
In [347]:
j[0:10]
Out[347]:
[u'Mar 18 11:38:05 app-1 sshd[10156]: Failed password for user2 from 71.132.129.212 port 34624 ssh2',
 u'Mar 18 11:38:10 app-1 sshd[10156]: Failed password for user2 from 71.132.129.212 port 34624 ssh2',
 u'Mar 18 11:38:43 app-1 sshd[10156]: Failed password for user2 from 71.132.129.212 port 34624 ssh2',
 u'Mar 18 11:38:59 app-1 sshd[10158]: Failed password for user2 from 71.132.129.212 port 34333 ssh2',
 u'Mar 29 13:23:46 app-1 sshd[21492]: Failed password for root from 10.0.1.2 port 51771 ssh2',
 u'Mar 29 13:26:46 app-1 sshd[21552]: Failed password for root from 10.0.1.2 port 51780 ssh2',
 u'Apr 15 14:47:52 app-1 sshd[10174]: Failed password for user1 from 208.80.69.74 port 33737 ssh2',
 u'Apr 18 18:22:09 app-1 sshd[5266]: Failed password for root from 61.151.246.140 port 52434 ssh2',
 u'Apr 18 18:22:13 app-1 sshd[5268]: Failed password for root from 61.151.246.140 port 52641 ssh2',
 u'Apr 18 18:22:17 app-1 sshd[5270]: Failed password for root from 61.151.246.140 port 52872 ssh2']
In [348]:
deleted_user  = logs.filter(lambda x: "delete user" in x)
deleted_user.count()
Out[348]:
2
In [349]:
k = deleted_user.collect()
k
Out[349]:
[u"Mar 16 08:12:31 app-1 userdel[4700]: delete user `user4' ",
 u'Mar 18 14:10:59 app-1 sudo:   user1 : TTY=pts/3 ; PWD=/opt/software/web/app/profile/fixtures ; USER=root ; COMMAND=/usr/bin/svn delete users.json']
In [350]:
root_user  = logs.filter(lambda x: "root" in x)
root_user.count()
Out[350]:
42445
In [351]:
root_user.take(100)
Out[351]:
[u'Mar 16 08:12:09 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:12:09 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 08:12:09 app-1 su[4679]: Successful su for root by root',
 u'Mar 16 08:12:09 app-1 su[4679]: + tty1 root:root',
 u'Mar 16 08:12:09 app-1 su[4679]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:17:01 app-1 CRON[4716]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 08:17:01 app-1 CRON[4716]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 08:27:37 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 08:27:37 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 08:27:37 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 08:27:37 app-1 su[4913]: Successful su for root by root',
 u'Mar 16 08:27:37 app-1 su[4913]: + pts/0 root:root',
 u'Mar 16 08:27:37 app-1 su[4913]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 09:17:01 app-1 CRON[5085]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 09:17:01 app-1 CRON[5085]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 10:14:10 app-1 sudo:     user3 : TTY=pts/1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 10:14:10 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 10:14:10 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 10:14:10 app-1 su[5162]: Successful su for root by root',
 u'Mar 16 10:14:10 app-1 su[5162]: + pts/1 root:root',
 u'Mar 16 10:14:10 app-1 su[5162]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 10:17:01 app-1 CRON[5184]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 10:17:01 app-1 CRON[5184]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 10:39:54 app-1 su[4913]: pam_unix(su:session): session closed for user root',
 u'Mar 16 11:17:01 app-1 CRON[5234]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 11:17:01 app-1 CRON[5234]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 12:17:01 app-1 CRON[5273]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 12:17:01 app-1 CRON[5273]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 13:17:01 app-1 CRON[5322]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 13:17:01 app-1 CRON[5322]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 14:17:01 app-1 CRON[5373]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 14:17:01 app-1 CRON[5373]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 15:17:01 app-1 CRON[5435]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 15:17:01 app-1 CRON[5435]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 16:00:04 app-1 su[5162]: pam_unix(su:session): session closed for user root',
 u'Mar 16 16:17:01 app-1 CRON[5474]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 16:17:01 app-1 CRON[5474]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 17:12:41 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/opt/software ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 17:12:41 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 17:12:41 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 17:12:41 app-1 su[5535]: Successful su for root by root',
 u'Mar 16 17:12:41 app-1 su[5535]: + pts/0 root:root',
 u'Mar 16 17:12:41 app-1 su[5535]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 17:13:51 app-1 su[5535]: pam_unix(su:session): session closed for user root',
 u'Mar 16 17:13:52 app-1 sudo:     user3 : TTY=pts/0 ; PWD=/opt/software ; USER=root ; COMMAND=/bin/su',
 u'Mar 16 17:13:52 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 16 17:13:52 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 16 17:13:52 app-1 su[5551]: Successful su for root by root',
 u'Mar 16 17:13:52 app-1 su[5551]: + pts/0 root:root',
 u'Mar 16 17:13:52 app-1 su[5551]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 16 17:17:01 app-1 CRON[5571]: pam_unix(cron:session): session opened for user root by (uid=0)',
 u'Mar 16 17:17:01 app-1 CRON[5571]: pam_unix(cron:session): session closed for user root',
 u'Mar 16 17:32:58 app-1 su[4679]: pam_unix(su:session): session closed for user root',
 u'Mar 18 09:43:06 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:43:06 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:43:06 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 09:43:06 app-1 su[4713]: Successful su for root by root',
 u'Mar 18 09:43:06 app-1 su[4713]: + tty1 root:root',
 u'Mar 18 09:43:06 app-1 su[4713]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:43:07 app-1 su[4713]: pam_unix(su:session): session closed for user root',
 u'Mar 18 09:49:52 app-1 sudo:     user3 : TTY=tty1 ; PWD=/opt/software ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:49:52 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:49:52 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 09:49:52 app-1 su[4673]: Successful su for root by root',
 u'Mar 18 09:49:52 app-1 su[4673]: + tty1 root:root',
 u'Mar 18 09:49:52 app-1 su[4673]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:49:53 app-1 su[4673]: pam_unix(su:session): session closed for user root',
 u'Mar 18 09:51:23 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:51:23 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:51:23 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 09:51:23 app-1 su[4654]: Successful su for root by root',
 u'Mar 18 09:51:23 app-1 su[4654]: + tty1 root:root',
 u'Mar 18 09:51:23 app-1 su[4654]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:56:22 app-1 sudo:     user3 : TTY=tty1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 09:56:22 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 18 09:56:22 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 09:56:22 app-1 su[4684]: Successful su for root by root',
 u'Mar 18 09:56:22 app-1 su[4684]: + tty1 root:root',
 u'Mar 18 09:56:22 app-1 su[4684]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 18 10:00:36 app-1 sudo:     user3 : TTY=pts/1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 10:00:36 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)',
 u'Mar 18 10:00:36 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 10:00:36 app-1 su[4805]: Successful su for root by root',
 u'Mar 18 10:00:36 app-1 su[4805]: + pts/1 root:root',
 u'Mar 18 10:00:36 app-1 su[4805]: pam_unix(su:session): session opened for user root by user3(uid=0)',
 u'Mar 18 10:01:03 app-1 sudo:   user1 : user NOT in sudoers ; TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/su -',
 u'Mar 18 10:02:09 app-1 sudo:   user1 : TTY=pts/0 ; PWD=/home/user1 ; USER=root ; COMMAND=/bin/su -',
 u'Mar 18 10:02:09 app-1 sudo: pam_unix(sudo:session): session opened for user root by user1(uid=0)',
 u'Mar 18 10:02:09 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 10:02:09 app-1 su[4875]: Successful su for root by root',
 u'Mar 18 10:02:09 app-1 su[4875]: + pts/0 root:root',
 u'Mar 18 10:02:09 app-1 su[4875]: pam_unix(su:session): session opened for user root by user1(uid=0)',
 u'Mar 18 10:32:44 app-1 su[4875]: pam_unix(su:session): session closed for user root',
 u'Mar 18 10:32:49 app-1 su[4805]: pam_unix(su:session): session closed for user root',
 u'Mar 18 10:34:55 app-1 sudo:   user1 : TTY=pts/0 ; PWD=/opt/software/web/app ; USER=root ; COMMAND=/usr/bin/vi /opt/software/base/vmscripts/app/django_settings.sh',
 u'Mar 18 10:34:55 app-1 sudo: pam_unix(sudo:session): session opened for user root by user1(uid=0)',
 u'Mar 18 10:34:55 app-1 sudo: pam_unix(sudo:session): session closed for user root',
 u'Mar 18 10:35:25 app-1 sudo:     user3 : TTY=pts/1 ; PWD=/home/user3 ; USER=root ; COMMAND=/bin/su',
 u'Mar 18 10:35:25 app-1 sudo: pam_unix(sudo:session): session opened for user root by user3(uid=0)']
In [352]:
import pandas as pd
import numpy as np
from pandas import Series, DataFrame, Panel

#plot(kind='barh')
In [353]:
import apachelog, sys
In [354]:
fformat = r'%V %h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %T'
In [355]:
p = apachelog.parser(fformat)
In [355]: