poem

It's morning again and I am still waiting by Sebastian Morales

This project derived from another, as they often do. In this case I was studying internet bots and botnets, their patterns and flows. Soon after, I started creating honeypots designed to attract more bots, keeping them in the server as long as possible, setting baits to lure them back when they left.

After a couple days, bots where coming form everywhere, many different types. After a week, I had bots from a particularly bot net visiting the server every couple of hours. Each time what seem to be a different IP address would appear, try a combination of username and password, then disappear forever. Somewhere around the world, perhaps everywhere around it, these were loyal, punctual, and always present predators. Keep in mind that these bots were trying to hack my server, not very successfully, but their only purpose was harm. They continued visiting for months, then, inexplicably, stop to never come back again.

The week after they stop was strange. I found myself checking the server logs multiple times a day, always feeling somewhat abandoned. I am not sure where or how this relates to the Stockholm syndrome or if I should try to coin a new term. But there was something about this creatures, meaning harm but now absent, that made my yearning strong.

I couldn’t resist the curiosity, the urge to find out more. I started meticulously looking for clues though months of server logs, and there were patterns. In fact, not all the IP address where unique, they often came back again, and again, and again. Traveling oceans at the speed of light, no frontiers, the only boarder a Wordpress login page.

This sparked the idea in my head of writing/coding a poem for a particular(random) bot that came frequently. It is read/written as a system administrator, who knows the bot is trying to hack its system but cannot help to develop an unhealthy attraction and lust for it. Asking the system to help him track the bot back to its origin.

 

Original post:

This project was part of the final for Reading and Writing Electronic Text class. It was inspired by the bots that have been visiting my honey pot server the last couple of months. 

In particular it was inspired by a period of time about 1 week long that they stopped coming. I felt curiosity, and sadness for the sudden unexplained abandonment of these bots. 

I first started on Jupyter Notebook. For a period of 1.5 months I had been recording all bots that visited the server. It was a simple txt file logging every visit, in the order as they came.

I made the mistake to not save the log in a structured way as a dictionary or a Json, which meant that the first step was to convert the data into a structured values. 

I became particularly interested in bots seeking to hack a wordpress site. The honey pot server would always return an error message and the same page, it looks something like this: 

WP honey pot

I became fascinated by these bots, they all behave exactly the same way and acted in an orderly fashion. It would be safe to assume that they are all connected and orchestrated by the same master. Yet they seem to always come from different IP address. Looking at all the IPs plotted around the world we can see they are quite distributed...

world.jpg

Anyways, turning into poetry

As these type of bot arrive they leave behind a post request of the following structure.

Wed Apr 18 2018 08:22:14 GMT+0000 (UTC) ip 94.25.169.198 Mozilla/5.0 (Windows NT 6.0; rv:34.0) Gecko/20100101 Firefox/34.0 POST {"log":"admin","pwd":"viking","rememberme":"forever","submit":"Login","redirect_to":"wp-login-error.html"} Path: /wp-login.php

With this in mind I started parsing though the data, looking at common passwords and common User names. Also looking at the most repeated IP address.

I found that out of the 5010 WP logging attempts 2110 were from the same IPs.

Top 20:

[('95.79.33.65', 23),
 ('176.197.78.250', 22),
 ('93.157.168.25', 21),
 ('37.143.19.62', 20),
 ('46.61.152.185', 19),
 ('5.104.206.2', 19),
 ('185.59.58.52', 18),
 ('91.192.173.25', 18),
 ('185.13.112.104', 18),
 ('62.140.230.163', 17),
 ('109.172.30.247', 17),
 ('192.95.168.172', 16),
 ('93.170.177.233', 16),
 ('80.64.18.225', 16),
 ('185.81.248.18', 16),
 ('188.0.135.155', 16),
 ('176.120.211.202', 16),
 ('212.118.40.117', 16),
 ('46.35.243.27', 15),
 ('195.9.51.62', 15)]

This sparked in my head the idea of having a poem for a particular bot that has come frequently. It is read/written by the system administrator, who knows the bot is trying to hack the system but cant help to develop an unhealthy attraction and lust for it. Asking the system to help him track the bot to its origin.

Some of the text in the poem comes from the bot passwords and usernames, also the dates and times registered would help build some tension thought repetition.

The embedded jupyter notebook shows most of the process of developing the poem.

For the actual performance I didn't want to read streight form a jupyter notebook but rather from a terminal window. As the system administrator looks at the logs and talks to the terminal. 

 

The actual python script for the terminal version can be found [here].