Vitali Kremez
  • Home
  • About
  • Contact
  • Cyber Security
  • Cyber Intel
  • Programming
  • Reverse Engineering
  • Exploit Development
  • Penetration Test
  • WIN32 Assembly
  • On Writing
    • Blog
    • LSAT
    • Photo
  • Honeypot
  • Forum

ZeusC2Tracker: Location Analyzer Using GeoCode API

1/25/2016

4 Comments

 
Picture
Author: Vitali Kremez

Data Source:
(1) zeustracker.abuse.ch
(2) cybercrime-tracker.net

Language: Python, Regular Expressions, SQLite, JavaScript, HTML
API: Google Maps Geocoding API, IP-API JSON API, plotly
​
                         We see the largest number of ZeusC2 in the first quarter of 2015.

*Creates a SQL table with 2,690 Zeus Command-and-Control servers and visualizes the database via Google Maps Geocoding API.

Goal: ​Obtain geographical location coordinates of current and historical Zeus servers and visualize them on the Google Map.

Method of Operation:
*Creates SQL database "ZeusC2Tracker.sqlite" with columns mdate, url, ip, rtype, rsource;
*Converts Zeus hostnames to cities using ip-api.com JSON API;
*Obtains lat/long values using GeoCode API, and stores values in another SQL database "geodata.sqlite";
*Maps the data from "geodata.sqlite" to Javascript file "where.js";
*Creates viewable Google-mapped values in "where.html" that point to "where.js".
Picture
Usage:
1) Run Zeusloader.py to create monolithic "ZeusC2Tracker.sqlite" database with columns mdate, url, ip, rtype, rsource;
(2) Run ZeusHostConverter.py to convert hostnames to cities using /ip-api.com JSON API and post data to new"where.data" file;
(3) Run Geoload.py to parse "where.data", obtain lat/long values using GeoCode API, and store values in SQL  database "geodata.sqlite";
(4) Run Geodump.py to map the data from "geodata.sqlite" to new Javascript file "where.js"; and
(5) View the Google-mapped values in "where.html" that point to "where.js".

Example of SQL query "SELECT * From ZeusC2Tracker;" in Terminal:
Picture
Picture
Here are some interesting findings based on this SQL ZeusC2Tracker database of  2,690 ZeusC2's:

(1) We have 90 .ru [Russian] domains associated with ZeusC2's.
(2) We have 6 domains that contain string "bank" associated with ZeusC2's.
(3) We have 1,442 default Zeus installs associated with ZeusC2. They are identified by default control panel path "/cp.php?m=login".
(4) We have 16 TOR [onion] domains associated with ZeusC2's.
(5) We have 1,092 .com domains associated with ZeusC2's.
(6) We have 35 .ua [Ukrainian] domains associated with ZeusC2's.
(7) We have 5 .cc [Cocos (Keeling) Islands - often used by carding community] domains associated with ZeusC2's.
(8) We have 28 .su [Soviet Union] domains associated with ZeusC2's.
(9) We have 2 .gov [1 - Colombian, 1- Turkish] domains associated with ZeusC2's.
(10) We have 3 most popular IPs 199.192.231.250 [26 domains], 198.1.80.203 [21 domains], 162.144.127.104 [16 domains] associated with with ZeusC2's.
In [2]: 
import sqlite3
import pandas as pd
import plotly.plotly as py # interactive graphing
from plotly.graph_objs import Bar, Scatter, Marker, Layout
In [3]: 
conn = sqlite3.connect('ZeusC2Tracker.sqlite')
In [3]: 
df = pd.read_sql_query('SELECT * FROM ZeusC2Tracker', conn)
In [12]: 
print df

        id       mdate                                                url  \
0        1  14-01-2016            www.proacti.com.br/bosco/cp.php?m=login   
1        2  14-01-2016  www.manju.co.in/wp/wp-includes/js/crop/cropper...   
2        3  10-01-2016            diagnosticdubai.com/UCHE/cp.php?m=login   
3        4  08-01-2016            bannersbrasil.com.br/mum/cp.php?m=login   
4        5  08-01-2016          siliverstersnewone.in/html/cp.php?m=login   
5        6  06-01-2016                     ozowarac.com/jj/cp.php?m=login   
6        7  06-01-2016                     ozowarac.com/ff/cp.php?m=login   
7        8  06-01-2016                     ozowarac.com/me/cp.php?m=login   
8        9  06-01-2016  www.bawtrycarbons.com/pin/somzy/admin.php?lett...   
9       10  04-01-2016               www.cennoworld.com/ur/cp.php?m=login   
10      11  03-01-2016  www.dphcustompins.com/staging/skin/frontend/de...   
11      12  03-01-2016                   yalitest3.info/be4/a.php?m=login   
12      13  22-12-2015  allterrainadventures.co.uk/media/css/panel/cp....   
13      14  22-12-2015  vrglongthanh.com.vn/kuzole/30/cp.php?letter=login   
14      15  16-12-2015  want-to-buy.co.uk/wp-includes/pomo/.mysql/ssl/...   
15      16  11-12-2015  studio020.com/anims/admin/admin/spirit.php?let...   
16      17  11-12-2015  ebenezerfm.com/wp-content/uploads/2012/cp.php?...   
17      18  11-12-2015  mat-update.be/bulletprove-gameover/cp.php?m=login   
18      19  10-12-2015        mediacomholdings.com/sql/rim/cp.php?m=login   
19      20  07-12-2015      prodsamps.pw/mavlad/panel/cp.php?letter=login   
20      21  07-12-2015       prodsamps.pw/shile/panel/cp.php?letter=login   
21      22  04-12-2015  beemasewakendra.com/slide/js/.cache/ssl/.cphor...   
22      23  04-12-2015  studentscompanion.in/reservation/img/products/...   
23      24  04-12-2015              2becomputers.com/conta/cp.php?m=login   
24      25  04-12-2015            saner.com.au/blog/server/cp.php?m=login   
25      26  04-12-2015  cheshamfrench.co.uk/martins/server/cp.php?m=login   
26      27  29-11-2015        91.236.213.74/pictures/standard.php?m=login   
27      28  28-11-2015              192.99.99.251:6500/a/data.php?m=login   
28      29  28-11-2015    satyamsng.com/xres/css/.mode/home/u.php?m=login   
29      30  28-11-2015              omnienergy.com.au/file/cp.php?m=login   
...    ...         ...                                                ...   
2660  2661  2013-07-25                                       103.7.59.135   
2661  2662  2013-07-20                            reserve.jumpingcrab.com   
2662  2663  2013-07-19                                     www.witkey.com   
2663  2664  2013-07-18                                  lonsmemorials.com   
2664  2665  2013-07-13                       google.poultrymiddleeast.com   
2665  2666  2013-07-08                                       ice.ip64.net   
2666  2667  2013-06-24                         igor32.herbalbrasil.com.br   
2667  2668  2013-06-16                             gate.timstackleshop.es   
2668  2669  2013-06-15                         projects.globaltronics.net   
2669  2670  2013-06-13                                     jgworldupd.com   
2670  2671  2013-06-10                                    porschecosv.com   
2671  2672  2013-06-08                                        64.85.233.8   
2672  2673  2013-05-28                              bbwscimanuk.pdsda.net   
2673  2674  2013-05-26                                    dattinggate.com   
2674  2675  2013-05-22                                      199.7.234.100   
2675  2676  2013-05-16                                      109.229.36.65   
2676  2677  2013-05-10                                      190.15.192.25   
2677  2678  2013-04-25                           www.group-billarclub.com   
2678  2679  2013-04-09                                   illinoisnets.net   
2679  2680  2013-03-28                                    128.210.157.251   
2680  2681  2013-03-21                                    visit2013.in.ua   
2681  2682  2013-01-23                                        jangasm.org   
2682  2683  2013-01-07                                      serversss.biz   
2683  2684  2012-12-10                        counter-1.adscounter.com.ua   
2684  2685  2012-12-03                                      83.15.254.242   
2685  2686  2012-11-01                                 diosdelared.com.mx   
2686  2687  2012-10-12                                         hruner.com   
2687  2688  2012-10-12                                           dasch.pl   
2688  2689  2012-10-09                                  allfortune777.biz   
2689  2690  2012-08-25                                       64.127.71.73   

                   ip      rtype                rsource  
0     186.202.127.118       Zeus  CyberCrimeTracker.net  
1         198.1.74.28       Zeus  CyberCrimeTracker.net  
2     216.158.236.124       Zeus  CyberCrimeTracker.net  
3     186.202.127.118       Zeus  CyberCrimeTracker.net  
4       162.214.5.117       Zeus  CyberCrimeTracker.net  
5       198.105.221.5       Zeus  CyberCrimeTracker.net  
6       198.105.221.5       Zeus  CyberCrimeTracker.net  
7       198.105.221.5       Zeus  CyberCrimeTracker.net  
8      108.167.131.34       Zeus  CyberCrimeTracker.net  
9       198.105.221.5       Zeus  CyberCrimeTracker.net  
10      23.229.238.21       Zeus  CyberCrimeTracker.net  
11     74.117.183.206       Zeus  CyberCrimeTracker.net  
12    185.116.212.119       Zeus  CyberCrimeTracker.net  
13     112.213.89.101       Zeus  CyberCrimeTracker.net  
14      185.24.98.175       Zeus  CyberCrimeTracker.net  
15        83.98.177.7       Zeus  CyberCrimeTracker.net  
16        69.4.233.96       Zeus  CyberCrimeTracker.net  
17      198.105.221.5       Zeus  CyberCrimeTracker.net  
18     129.232.131.10       Zeus  CyberCrimeTracker.net  
19      158.255.6.112       Zeus  CyberCrimeTracker.net  
20      158.255.6.112       Zeus  CyberCrimeTracker.net  
21      184.95.41.121       Zeus  CyberCrimeTracker.net  
22      184.95.41.121       Zeus  CyberCrimeTracker.net  
23      198.50.98.253       Zeus  CyberCrimeTracker.net  
24       27.121.64.74       Zeus  CyberCrimeTracker.net  
25       69.28.199.60       Zeus  CyberCrimeTracker.net  
26                          Zeus  CyberCrimeTracker.net  
27                          Zeus  CyberCrimeTracker.net  
28      184.95.41.121       Zeus  CyberCrimeTracker.net  
29      27.121.64.198       Zeus  CyberCrimeTracker.net  
...               ...        ...                    ...  
2660    199.7.234.100       ZeuS         ZeusTracker.ch  
2661    109.229.36.65    Citadel         ZeusTracker.ch  
2662    190.15.192.25    Citadel         ZeusTracker.ch  
2663                     Citadel         ZeusTracker.ch  
2664                     Citadel         ZeusTracker.ch  
2665  128.210.157.251  Ice', 'IX         ZeusTracker.ch  
2666                        ZeuS         ZeusTracker.ch  
2667                     Citadel         ZeusTracker.ch  
2668                   Ice', 'IX         ZeusTracker.ch  
2669                     Citadel         ZeusTracker.ch  
2670    83.15.254.242       ZeuS         ZeusTracker.ch  
2671                     Citadel         ZeusTracker.ch  
2672   107.163.174.74    Citadel         ZeusTracker.ch  
2673                     Citadel         ZeusTracker.ch  
2674                        ZeuS         ZeusTracker.ch  
2675     64.127.71.73       ZeuS         ZeusTracker.ch  
2676    87.254.167.37       ZeuS         ZeusTracker.ch  
2677     94.103.36.55                    ZeusTracker.ch  
2678      60.13.186.5       ZeuS         ZeusTracker.ch  
2679   203.170.193.23       ZeuS         ZeusTracker.ch  
2680   188.247.135.99       ZeuS         ZeusTracker.ch  
2681   188.247.135.53       ZeuS         ZeusTracker.ch  
2682   188.247.135.74       ZeuS         ZeusTracker.ch  
2683  216.176.100.240  Ice', 'IX         ZeusTracker.ch  
2684   151.97.190.239       ZeuS         ZeusTracker.ch  
2685   188.247.135.58       ZeuS         ZeusTracker.ch  
2686  188.219.154.228    Citadel         ZeusTracker.ch  
2687  216.215.112.149  Ice', 'IX         ZeusTracker.ch  
2688  210.211.108.215       ZeuS         ZeusTracker.ch  
2689    109.127.8.242       ZeuS         ZeusTracker.ch  

[2690 rows x 6 columns]
In [15]: 
df = pd.read_sql_query("SELECT mdate, COUNT(*) as 'num_of_ZeusC2' FROM ZeusC2Tracker GROUP BY mdate ORDER BY 'num_of_ZeusC2'", conn)
py.iplot([Bar(x=df.mdate, y=df.num_of_ZeusC2)], filename='Number of ZeusC2 by mdate')
Out[15]:
In [20]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_RuZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ru%' GROUP BY url ORDER BY 'num_of_RuZeusC2'", conn)
In [21]: 
print df

                                                  url  num_of_RuZeusC2
0      actualmove.ru/images/terrymax/1/cp.php?m=login                1
1       aflar.ru/images/home/ppns/cp.php?letter=login                1
2    aflar.ru/images/major/kraftz/cp.php?letter=login                1
3   alaska2russia.ru/kraftz/major/cp.php?letter=login                1
4   almazdental.ru/wp-includes/pomo/panel/cp.php?m...                1
5                                           atmape.ru                1
6               baims.ru/lk/feeds/site/cp.php?m=login                1
7                      bbumn.ru/fire/cart.php?m=login                1
8                        bbumn.ru/nico/cp.php?m=login                1
9              bitcoin-send.ru/geobase/cp.php?m=login                1
10                                   blesslifelove.ru                1
11                                         bqtest2.ru                1
12               brr-21.ru.shn-host.ru/cp.php?m=login                1
13                                   cd31411.tmweb.ru                1
14                cogoda.ru/biZHubb/admin.php?m=login                1
15                       danbeta.ru/g1/cp.php?m=login                1
16                       danbeta.ru/g2/cp.php?m=login                1
17                       danbeta.ru/g3/cp.php?m=login                1
18                       danbeta.ru/g4/cp.php?m=login                1
19                       danbeta.ru/g5/cp.php?m=login                1
20                               dileconme.hotmail.ru                1
21           dozybrown.ru/osi1/30/cp.php?letter=login                1
22                         eddw.ru/144/cp.php?m=login                1
23                    endnra.ru/logs/cart.php?m=login                1
24                  fitytrade.ru/diff1/cp.php?m=login                1
25                                         fx45.pp.ru                1
26                                        genmjob3.ru                1
27                                        geopryce.ru                1
28                   goa-inf.ru/php/admin.php?m=login                1
29                              gyodundena.hotmail.ru                1
..                                                ...              ...
60                      sp4m.ru/09/nd3/cp.php?m=login                1
61                      sp4m.ru/09/seb/cp.php?m=login                1
62                           sp4m.ru/1/cp.php?m=login                1
63                          sp4m.ru/11/cp.php?m=login                1
64                         sp4m.ru/111/cp.php?m=login                1
65                        sp4m.ru/1111/cp.php?m=login                1
66                           sp4m.ru/5/cp.php?m=login                1
67                          sp4m.ru/55/cp.php?m=login                1
68                         sp4m.ru/555/cp.php?m=login                1
69                        sp4m.ru/5555/cp.php?m=login                1
70                         sp4m.ru/css/cp.php?m=login                1
71                         sp4m.ru/fem/cp.php?m=login                1
72                          sp4m.ru/js/cp.php?m=login                1
73                    tosyisha.ru/ub02/cp.php?m=login                1
74                        u0003321.cp.regruhosting.ru                1
75         ulogroup.ru/wp-server/admin/cp.php?m=login                1
76          uralviolet.ru/img/bin/ben/server/install/                1
77   viose.ru/images/major/kraftz/cp.php?letter=login                1
78        vz81757.eurodir.ru/gennadaok/cp.php?m=login                1
79            warfacebest.ru.swtest.ru/cp.php?m=login                1
80                             www.changeexchange2.ru                1
81      www.eroconlia.ru/files/30/cp.php?letter=login                1
82                            www.luxkupe.ru/install/                1
83        www.ruyacafe.net/wppress/fac/cp.php?m=login                1
84       www.ruyacafe.net/wppress/udok/cp.php?m=login                1
85  www.tvergeneration.ru/photo/indexx.php?letter=...                1
86            www.zvenigorodskoe.ru/js/cp.php?m=login                1
87                            ya-aaaa123123.myjino.ru                1
88                                      zabava-bel.ru                1
89                                       zhyravlik.ru                1

[90 rows x 2 columns]
In [23]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Bank_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%bank%' GROUP BY url ORDER BY 'num_of_Bank_ZeusC2'", conn)
print df

                                                 url  num_of_Bank_ZeusC2
0  centraltransbankonlinetrans.org/panel2/cp.php?...                   1
1                                         evobank.co                   1
2              goalgetterssa.in/banks/cp.php?m=login                   1
3     syndlcatebank.co.in/6/serverphp/cp.php?m=login                   1
4                 ua-banki.com/images/cp.php?m=login                   1
5  www.cbankng.info/11/admin/1/metro11/admin/1/cp...                   1
6  zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c...                   1
In [32]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_default_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%cp.php?m=login%' GROUP BY url ORDER BY 'num_of_default_ZeusC2'", conn)
In [33]: 
print df

                                                    url  num_of_default_ZeusC2
0     03a6b7a.netsolhost.com/order/server/cp.php?m=l...                      1
1           03a6f57.netsolhost.com/shoes/cp.php?m=login                      1
2             03bbec4.netsolhost.com/udo/cp.php?m=login                      1
3                 103.26.128.84/botnet/1/cp.php?m=login                      1
4     104.166.67.26/~ctrrosan/wp/wp-admin/jss/cp.php...                      1
5           104.192.103.94/forever/helps/cp.php?m=login                      1
6             104.237.194.158/appy/panel/cp.php?m=login                      1
7                    107.182.135.23/brew/cp.php?m=login                      1
8            107.182.142.41/serverphp/r7/cp.php?m=login                      1
9      108.175.156.136/~stats/images/css/cp.php?m=login                      1
10                     109.169.92.40/.sh/cp.php?m=login                      1
11          109.200.196.187/~mar23/admmm/cp.php?m=login                      1
12             109.200.196.187/~mar23/wc/cp.php?m=login                      1
13      116.0.23.234/~opt25643/swf/.base/cp.php?m=login                      1
14          116.193.77.118/~bee20734/vex/cp.php?m=login                      1
15      142.0.36.226/office/badoo/server/cp.php?m=login                      1
16     142.0.36.226/office/blarry/server/cp.php?m=login                      1
17      142.0.36.226/office/david/server/cp.php?m=login                      1
18      142.0.36.226/office/ebony/server/cp.php?m=login                      1
19     142.0.36.226/office/isiaka/server/cp.php?m=login                      1
20      142.0.36.226/office/nassy/server/cp.php?m=login                      1
21    142.0.78.144/xampp/greenslide/mafia/cp.php?m=l...                      1
22    142.0.78.145/xampp/bluemagic/magicsystem/cp.ph...                      1
23                           146.0.36.43/cp.php?m=login                      1
24                   149.154.64.20/files/cp.php?m=login                      1
25           162.144.3.101/~aussawin/zzz/cp.php?m=login                      1
26             167.88.15.203/henrybellon/cp.php?m=login                      1
27                     167.88.15.203/old/cp.php?m=login                      1
28             173.0.51.45/~allhailh/ahm/cp.php?m=login                      1
29    173.243.112.220/xampp/beright/moneypanel/cp.ph...                      1
...                                                 ...                    ...
1412                 yamleg.fu8.com/acho/cp.php?m=login                      1
1413                  yamleg.fu8.com/dan/cp.php?m=login                      1
1414                   yamleg.fu8.com/em/cp.php?m=login                      1
1415                   yamleg.fu8.com/ik/cp.php?m=login                      1
1416                   yamleg.fu8.com/xx/cp.php?m=login                      1
1417  yapanyapi.com/katolog/thumbs/panel/cp.php?m=login                      1
1418  yilinmilletvekili.com/Blast/serverphp/cp.php?m...                      1
1419    yogicmanagement.com/wp-admin/jss/cp.php?m=login                      1
1420       youronlinecasinobonuses.com/k/cp.php?m=login                      1
1421                   yumcsupply.com/st/cp.php?m=login                      1
1422            yysopqde.com/panel/Panel/cp.php?m=login                      1
1423     z3us1.z-ed.info/z3us_kwksdlfklw/cp.php?m=login                      1
1424        zapata1.co.uk/jojo/serverphp/cp.php?m=login                      1
1425                 zdemo.mooo.com/zeus/cp.php?m=login                      1
1426               zohaibbeauty.com/load/cp.php?m=login                      1
1427                       zokah.dk/e777/cp.php?m=login                      1
1428                        zukkoshop.su/cp.php?m=login                      1
1429  zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=...                      1
1430  zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap...                      1
1431  zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp...                      1
1432  zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c...                      1
1433  zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3...                      1
1434  zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4...                      1
1435  zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c...                      1
1436  zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?...                      1
1437  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph...                      1
1438  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?...                      1
1439  zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m...                      1
1440  zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=...                      1
1441  zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf...                      1

[1442 rows x 2 columns]
In [34]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_TOR_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%onion%' GROUP BY url ORDER BY 'num_of_TOR_ZeusC2'", conn)
print df

                                                  url  num_of_TOR_ZeusC2
0   3qwajq5p5pfsi3sw.onion/~ogbeni1/one/admin.php?...                  1
1               ismjiope3jmwagf3.onion/cp.php?m=login                  1
2        kdsk3afdiolpgejs.onion/sphinx/cp.php?m=login                  1
3   zxjfcvfvhqfqsrpz.onion/~ifybo/zeu5/r/cp.php?m=...                  1
4   zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap...                  1
5   zxjfcvfvhqfqsrpz.onion/~mekzi/ali-pay_com/1/cp...                  1
6   zxjfcvfvhqfqsrpz.onion/~mekzi/log-bank_com/2/c...                  1
7   zxjfcvfvhqfqsrpz.onion/~mekzi/manuchimso_com/3...                  1
8   zxjfcvfvhqfqsrpz.onion/~mekzi/mekzi-logs_com/4...                  1
9   zxjfcvfvhqfqsrpz.onion/~mekzi/oluwa-involved_c...                  1
10  zxjfcvfvhqfqsrpz.onion/~mine/cloudns_org/1/min...                  1
11  zxjfcvfvhqfqsrpz.onion/~nelson/crome/1/cp.php?...                  1
12  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/1/cp.ph...                  1
13  zxjfcvfvhqfqsrpz.onion/~nelson/ebere/1/cp.php?...                  1
14  zxjfcvfvhqfqsrpz.onion/~nelson/new1/1/cp.php?m...                  1
15  zxjfcvfvhqfqsrpz.onion/~new/lmao/123/cp.php?m=...                  1
16  zxjfcvfvhqfqsrpz.onion/~new/paper-chasing-4lyf...                  1
In [38]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_COM_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%.com%' GROUP BY url ORDER BY 'num_of_COM_ZeusC2_domains'", conn)
print df

                                                    url  \
0                                039b1ee.netsolhost.com   
1                                03a6b7a.netsolhost.com   
2     03a6b7a.netsolhost.com/order/server/cp.php?m=l...   
3                                03a6f57.netsolhost.com   
4           03a6f57.netsolhost.com/shoes/cp.php?m=login   
5                                03bbec4.netsolhost.com   
6             03bbec4.netsolhost.com/udo/cp.php?m=login   
7     23445778889.com/best/new/mii/test/metro/admin/...   
8     23452246.com/off/new/sale/metro/admin/1/cp.php...   
9            24411244.com/sales/new/cp.php?letter=login   
10    24411244.com/thanks/metro/admin/1/cp.php?lette...   
11                                     2becomputers.com   
12                2becomputers.com/conta/cp.php?m=login   
13    345688776.com/inhere/new/test/metro/admin/1/cp...   
14       3addictions.com.au/Attach/kings/cp.php?m=login   
15                 3d-gold.com.hk/img/admin.php?m=login   
16    4455667778.com/new/seen/metro/admin/1/cp.php?l...   
17    454545663.com/kc/new/metro/admin/1/cp.php?lett...   
18    454545663.com/mic/test/metro/admin/1/cp.php?le...   
19    55566785677.com/new/test/metro/admin/1/cp.php?...   
20    6667788899ii.com/test/here/fr/metro/admin/1/cp...   
21                                        6pjddrtt7.com   
22                  6pjddrtt7.com/chrome/cp.php?m=login   
23    92.240.69.54/~busletak/alibaba.com/sexydon/ser...   
24     a2wpress.com/wp-admin/js/commonjs/cp.php?m=login   
25         abcdigitizing.com/images/good/cp.php?m=login   
26                aboniaamckdr.com/emman/cp.php?m=login   
27                aboniaamckdr.com/gabby/cp.php?m=login   
28                 aboniaamckdr.com/html/cp.php?m=login   
29               aboniaamckdr.com/public/cp.php?m=login   
...                                                 ...   
1062                      x65cr13.com/bb/cp.php?m=login   
1063                     xinsaer.com/w58/cp.php?m=login   
1064                  xpertitsol.com/db1/cp.php?m=login   
1065                    y7online.com/ftp/cp.php?m=login   
1066                                   yahoo-action.com   
1067                   yakinfetih.com/js/cp.php?m=login   
1068    yamalandgeorge.com/vtr/serverphp/cp.php?m=login   
1069                                     yamleg.fu8.com   
1070                 yamleg.fu8.com/acho/cp.php?m=login   
1071                  yamleg.fu8.com/dan/cp.php?m=login   
1072                   yamleg.fu8.com/em/cp.php?m=login   
1073                   yamleg.fu8.com/ik/cp.php?m=login   
1074                   yamleg.fu8.com/xx/cp.php?m=login   
1075  yapanyapi.com/katolog/thumbs/panel/cp.php?m=login   
1076  yasamaugrasi.com/wp-includes/images/media/cp.p...   
1077  yilinmilletvekili.com/Blast/serverphp/cp.php?m...   
1078  yilmazcelikservis.com.tr/images/admin.php?m=login   
1079    yogicmanagement.com/wp-admin/jss/cp.php?m=login   
1080  youngshoipstory.com/metro/admin/1/cp.php?lette...   
1081       youronlinecasinobonuses.com/k/cp.php?m=login   
1082                   yumcsupply.com/st/cp.php?m=login   
1083            yysopqde.com/panel/Panel/cp.php?m=login   
1084                                      z0bu.dynu.com   
1085                 zdemo.mooo.com/zeus/cp.php?m=login   
1086                              zeditsolutions.com.au   
1087                                zetes.vdsinside.com   
1088                          zeus.guvencelikimalat.com   
1089  zeusbotnet.net.onebigfishgreenevents.com/cody/...   
1090  zitoskillslimited.com/latest/Panel/cp.php?lett...   
1091               zohaibbeauty.com/load/cp.php?m=login   

      num_of_COM_ZeusC2_domains  
0                             1  
1                             1  
2                             1  
3                             1  
4                             1  
5                             1  
6                             1  
7                             1  
8                             1  
9                             1  
10                            1  
11                            1  
12                            1  
13                            1  
14                            1  
15                            1  
16                            1  
17                            1  
18                            1  
19                            1  
20                            1  
21                            1  
22                            1  
23                            1  
24                            1  
25                            1  
26                            1  
27                            1  
28                            1  
29                            1  
...                         ...  
1062                          1  
1063                          1  
1064                          1  
1065                          1  
1066                          1  
1067                          1  
1068                          1  
1069                          1  
1070                          1  
1071                          1  
1072                          1  
1073                          1  
1074                          1  
1075                          1  
1076                          1  
1077                          1  
1078                          1  
1079                          1  
1080                          1  
1081                          1  
1082                          1  
1083                          1  
1084                          1  
1085                          1  
1086                          1  
1087                          1  
1088                          1  
1089                          1  
1090                          1  
1091                          1  

[1092 rows x 2 columns]
In [40]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Zeus_ZeusC2_domains' FROM ZeusC2Tracker WHERE url LIKE '%zeus%' GROUP BY url ORDER BY 'num_of_Zeus_ZeusC2_domains'", conn)
print df

                                                  url  \
0                  0x.x.gg/zeus/adm/index.php?m=login   
1         23.252.120.143/~zeus/30/cp.php?letter=login   
2                 357.toh.info/zeus/admin.php?m=login   
3                   amk.dynvpn.de/zeus/cp.php?m=login   
4                 blackhill.pp.ua/zeus/cp.php?m=login   
5         celenit-idiomas.com.br/zeus7/cp.php?m=login   
6   circleread-view.com.mocha2003.mochahost.com/Ze...   
7         crudeoil.company/zeus/server/cp.php?m=login   
8            darkzeusbtnet.netsons.org/pony/admin.php   
9                                   epsyium.com/zeus/   
10              face2face-nig.biz/zeus/cp.php?m=login   
11  frugaliasdelivery.com/coco/zeus/cp.php?letter=...   
12  perupublica.com/service/mmbb-zeus/adminpanel/a...   
13  quattromexico.com/db121/zeus%202.1.0.1/server%...   
14                     rams3s.org/zeus/cp.php?m=login   
15   rbsfinancials.com/Zeus/server_php/cp.php?m=login   
16    www.crudeoil.company/zeus/server/cp.php?m=login   
17                 zdemo.mooo.com/zeus/cp.php?m=login   
18                          zeus.guvencelikimalat.com   
19  zeusbotnet.net.onebigfishgreenevents.com/cody/...   

    num_of_Zeus_ZeusC2_domains  
0                            1  
1                            1  
2                            1  
3                            1  
4                            1  
5                            1  
6                            1  
7                            1  
8                            1  
9                            1  
10                           1  
11                           1  
12                           1  
13                           1  
14                           1  
15                           1  
16                           1  
17                           1  
18                           1  
19                           1
In [41]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_UAZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.ua%' GROUP BY url ORDER BY 'num_of_UAZeusC2'", conn)
print df

                                                  url  num_of_UAZeusC2
0           247.kiev.ua/love/ssss/ssss/cp.php?m=login                1
1                   avita.lviv.ua/.tmp/cp.php?m=login                1
2                   barfly.com.ua/tito/cp.php?m=login                1
3   berizka.gorodok.km.ua/core/auth/image/cp.php?m...                1
4   berizka.gorodok.km.ua/core/splash/admin/cp.php...                1
5                                      bestdove.in.ua                1
6              bestdove.in.ua/first/admin.php?m=login                1
7                                     blackhill.pp.ua                1
8                 blackhill.pp.ua/zeus/cp.php?m=login                1
9                         counter-1.adscounter.com.ua                1
10    ecoed.com.ua/.smart/Plugins/cp.php?letter=login                1
11             excel.com.ua/image/cp.php?letter=login                1
12  fortuna-group.com.ua/wp-comment/admin.php?m=login                1
13              hallabu.in.ua/index/admin.php?m=login                1
14                                       henex.net.ua                1
15                                 ice.andromed.in.ua                1
16                                         jomo.in.ua                1
17               loxomi.in.ua/index/admin.php?m=login                1
18                                       molowo.in.ua                1
19                                   mygoodness.in.ua                1
20               numogi.in.ua/index/admin.php?m=login                1
21  rest-mlyn.com.ua/includes/db/server/cp.php?m=l...                1
22                    sauti.com.ua/var/cp.php?m=login                1
23                             sdhfjksdhfjksdh.biz.ua                1
24                                    sdspropro.co.ua                1
25  smarthous.com.ua/wp-includes/components/plugin...                1
26                                  vashadvokat.in.ua                1
27              vip-interior.com.ua/e7/cp.php?m=login                1
28                                    visit2013.in.ua                1
29                 vlad-poltava.1gb.ua/cp.php?m=login                1
30  www.coolfox.pp.ua/adminpanel/facts/cp.php?m=login                1
31                   www.fvs.com.ua/tw/cp.php?m=login                1
32      www.pneumatica.com.ua/tmp/.tmp/cp.php?m=login                1
33  www.renomed.org.ua/components/shby/cp.php?m=login                1
34                                www.sdspropro.co.ua                1
35  www.windelectric.ua/images/gh/cp.php?letter=login                1
In [42]: 
df = pd.read_sql_query("SELECT url, COUNT(*)  FROM ZeusC2Tracker WHERE url LIKE '%.us%' GROUP BY url ORDER BY 'num_of_US_ZeusC2'", conn)
print df

                                                  url  num_of_US_ZeusC2
0        blueinteractive.us/wp-comment/cp.php?m=login                 1
1             freecashmachine.us/monib/cp.php?m=login                 1
2          jerryguy.usa.cc/css/panel.php?letter=login                 1
3                            joejdbjrmrkklfnmf.usr.me                 1
4                jpardon.usa.cc/xxc/admin.php?m=login                 1
5   landsolutions.us/morganbreaux.com/temp/nepal/c...                 1
6                         ngtools.us/s/cp.php?m=login                 1
7                nyprince.us/gift/item/cp.php?m=login                 1
8                    shieldled.us/ak47/cp.php?m=login                 1
9                   shieldled.us/akguy/cp.php?m=login                 1
10                    shieldled.us/ste/cp.php?m=login                 1
11                     w1sdom.us/13377/cp.php?m=login                 1
12               westiniedsho.us/eme01/cp.php?m=login                 1
13                     wizboi.us/eme01/cp.php?m=login                 1
14  www.global-production.us/longman/edition/cp.ph...                 1
15          www.marshall.usa.cc/war/panel.php?m=login                 1
In [43]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_CC_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.cc%' GROUP BY url ORDER BY 'num_of_CC_ZeusC2'", conn)
print df

                                                 url  num_of_CC_ZeusC2
0  astairepartners.cu.cc/pelumi/server/cp.php?m=l...                 1
1                           g0dday.cc/cp.php?m=login                 1
2         jerryguy.usa.cc/css/panel.php?letter=login                 1
3               jpardon.usa.cc/xxc/admin.php?m=login                 1
4          www.marshall.usa.cc/war/panel.php?m=login                 1
5           www.wideawake.cc/zak/cp.php?letter=login                 1
In [44]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_SU_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.su%' GROUP BY url ORDER BY 'num_of_SU_ZeusC2'", conn)
print df

                                                  url  num_of_SU_ZeusC2
0                              76tguy6hh6tgftrt7tg.su                 1
1                               angryshippflyforok.su                 1
2                                  axpoium.echange.su                 1
3                               beatyhousesupporte.su                 1
4             beautyinthesands.su/lisa/cp.php?m=login                 1
5   bentleyoil.su/lamborghini/roseroll/cp.php?m=login                 1
6   bentleyoil.su/rangeroversport/prosperity/cp.ph...                 1
7                                          bitters.su                 1
8                                           bright.su                 1
9          chemosales.bzs.su/site/root/cp.php?m=login                 1
10                             chezhiyasweheropasl.su                 1
11                                      cosmosdady.su                 1
12             despww.su/3836bkuta3/index.php?m=login                 1
13                                          f8b2b9.su                 1
14  getego.suroot.com/~focused/wp-content/themes/t...                 1
15              liberstotusedis.su/het/cp.php?m=login                 1
16                                   livinglounges.su                 1
17              meziamussucemaqueue.su/ihavethepower/                 1
18                               nonstopeddanceraz.su                 1
19                              pedropedreiromoxik.su                 1
20                                          regame.su                 1
21                                      rsslessons.su                 1
22                                   slot.sub-zero.it                 1
23                             turkeyhotelnoslafas.su                 1
24                                         uptight.su                 1
25                                            wvin.su                 1
26                        zukkoshop.su/cp.php?m=login                 1
In [45]: 
df = pd.read_sql_query("SELECT url, COUNT(*) as 'num_of_Gov_ZeusC2' FROM ZeusC2Tracker WHERE url LIKE '%.gov%' GROUP BY url ORDER BY 'num_of_Gov_ZeusC2'", conn)
print df

                                                 url  num_of_Gov_ZeusC2
0       ayancikmuftulugu.gov.tr/admin/cp.php?m=login                  1
1  teatromunicipal.gov.co/images/indexx.php?lette...                  1
In [20]: 
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by COUNT(*) DESC", conn)
print df

          mdate               ip  \
0    2013-05-22                    
1    15-05-2013  199.192.231.250   
2    15-06-2015     198.1.80.203   
3    21-11-2014  162.144.127.104   
4    25-09-2013     64.32.14.163   
5    22-04-2014     64.32.20.103   
6    14-07-2015   198.57.188.172   
7    28-08-2014    46.149.111.10   
8    2015-12-10    198.105.221.5   
9    31-10-2014  162.144.120.105   
10   23-07-2014   162.144.94.245   
11   29-06-2015    176.119.28.73   
12   2015-09-13    122.155.3.150   
13   04-10-2014    194.201.253.5   
14   23-03-2014  204.188.238.141   
15   04-05-2013  205.251.133.130   
16   21-05-2014     64.31.43.138   
17   11-05-2014   186.202.127.48   
18   19-10-2014    194.201.253.2   
19   2015-02-01   195.16.127.102   
20   19-11-2013    198.176.28.49   
21   27-10-2013  205.251.135.234   
22   2015-10-22   209.200.232.14   
23   09-06-2014    95.173.183.91   
24   01-08-2014   141.105.68.108   
25   12-11-2014     167.160.46.7   
26   11-07-2013  207.210.103.242   
27   04-10-2014    91.236.74.162   
28   27-09-2014   94.242.205.226   
29   01-06-2014    103.28.15.136   
..          ...              ...   
261  18-09-2013    67.205.74.119   
262  30-11-2014    67.228.98.175   
263  19-05-2014    69.167.162.69   
264  2014-06-28   69.194.235.103   
265  27-04-2014     69.27.107.94   
266  17-08-2012    69.28.199.110   
267  02-11-2015     69.28.199.60   
268  2015-12-12      69.4.233.96   
269  28-11-2014     69.64.61.199   
270  26-12-2013     72.9.108.202   
271  04-11-2012     74.81.82.234   
272  2014-07-17    77.55.125.205   
273  19-09-2014   81.196.156.218   
274  13-05-2014      81.88.48.95   
275  2015-12-12      83.98.177.7   
276  15-05-2014    85.95.238.136   
277  04-07-2014   87.247.179.190   
278  2015-08-10     87.98.146.77   
279  24-09-2015   89.233.106.130   
280  11-03-2014   89.248.161.233   
281  20-08-2014   91.197.129.190   
282  14-07-2014    91.223.82.107   
283  30-05-2014    91.223.82.188   
284  27-10-2014     91.223.82.85   
285  25-09-2014    91.236.74.183   
286  08-07-2014     92.240.69.54   
287  29-07-2014      93.190.95.7   
288  14-03-2014     94.102.48.94   
289  01-08-2014   95.173.183.232   
290  12-09-2013      98.130.96.2   

                                                   url  COUNT (*)  
0                                        199.7.234.100        509  
1     os.qintec.sk/images/stories/rolex/cp.php?m=login         26  
2                       kendra.fr/panel/cp.php?m=login         21  
3      ganhedwakar.tk/giveittome/getoff/cp.php?m=login         16  
4                 kingroygold.in/server/cp.php?m=login         15  
5                            sp4m.ru/11/cp.php?m=login         15  
6                      festusca.in/maha/cp.php?m=login         14  
7    zxjfcvfvhqfqsrpz.onion/~lemore/log-needed-asap...         14  
8                                       phoenixtsi.com         13  
9                  muazymaur.tk/maurice/cp.php?m=login         12  
10   obinnaeku.biz/wordpress/wp-includes/js/crop/ob...         12  
11                  emailsclient.com/am/cp.php?m=login         11  
12                                     techjoe.cricket         10  
13   www.nacosti.go.ke/components/com_users/hhghg/c...          9  
14               nitenokliert.co.uk/sat/cp.php?m=login          9  
15   208.98.18.41/zoey/index/kop/uyi/rob/cp.php?m=l...          9  
16   kioskcantinhodaroca.com.br/wp-content/uploads/...          9  
17   herminiametzler.com.br/wp-content/themes/twent...          8  
18                  oakparkltd.com/user/cp.php?m=login          8  
19                              islenpiding.hotmail.ru          8  
20           r-sbonline.biz/images/task/cp.php?m=login          8  
21               urbinarojas.com/update/cp.php?m=login          8  
22                                        molowo.in.ua          8  
23                   buharasifa.com/san/cp.php?m=login          8  
24                   www.iut.sx/webstat/cp.php?m=login          7  
25   55566785677.com/new/test/metro/admin/1/cp.php?...          7  
26                  revrakdesign.ca/zcp/cp.php?m=login          7  
27                        danbeta.ru/g2/cp.php?m=login          7  
28    newbetrrsearve.co.uk/us/serverphp/cp.php?m=login          7  
29             dinamikamandiri.co.id/e7/cp.php?m=login          6  
..                                                 ...        ...  
261      autopartsgene.com/wp-admin/css/cp.php?m=login          2  
262                       malika.nu/css/cp.php?m=login          2  
263  electroingenieria.mx/images/culture/adminpanel...          2  
264                                         58.195.1.4          2  
265           it-support-calgary.ca/999/cp.php?m=login          2  
266                    95.65.107.94/web/cp.php?m=login          2  
267  cheshamfrench.co.uk/digits1/server/cp.php?m=login          2  
268                                       tekchuks.xyz          2  
269       pivetamaqfer.com.br/.htm/cp.php?letter=login          2  
270                      artskit.in/ven/cp.php?m=login          2  
271                   andyrog.net/vices/cp.php?m=login          2  
272                                        joepussy.tk          2  
273                    trans-tech.ro/e7/cp.php?m=login          2  
274                    eyeofgod1.com/Zz/cp.php?m=login          2  
275                                           ijoe.xyz          2  
276  yilinmilletvekili.com/Blast/serverphp/cp.php?m...          2  
277          kasasmock.com/media/system/cp.php?m=login          2  
278                                      eresimgbo.com          2  
279                       eclpi.in/test/cp.php?m=login          2  
280              viaialater.eu/ekpe/school.php?m=login          2  
281        panorama-otel.ru/images/cp.php?letter=login          2  
282            taiyuean.com/logs/1/cp.php?letter=login          2  
283        foxmanwer.pw/new/logo/1/cp.php?letter=login          2  
284          vogel-no0t.com/sage/vip/admin.php?m=login          2  
285             oga-wale.com/robot/cp.php?letter=login          2  
286      erberge-open.com/Media/plugin2/cp.php?m=login          2  
287  panel7h.oxfrontal.com/aa/microupdate/madmin.ph...          2  
288       supleather.biz/admincpanel/admin.php?m=login          2  
289             pinglessmetin2.com/adam/cp.php?m=login          2  
290              www.kueshen.biz/benson/cp.php?m=login          2  

[291 rows x 4 columns]
In [18]: 
df = pd.read_sql_query("SELECT mdate, ip, url, COUNT (*) as 'num_of_SameIP_ZeusC2' FROM ZeusC2Tracker GROUP by ip HAVING COUNT(*) > 1 ORDER by 'num_of_SameIP_ZeusC2' DESC", conn)
py.iplot([Bar(x=df.ip, y=df.num_of_SameIP_ZeusC2)], filename='Number of Same IP ZeusC2')
Out[18]:
In [22]: 
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%199.192.231.250%'", conn)
print df

         mdate               ip  \
0   07-10-2013  199.192.231.250   
1   03-10-2013  199.192.231.250   
2   03-10-2013  199.192.231.250   
3   03-10-2013  199.192.231.250   
4   26-09-2013  199.192.231.250   
5   25-09-2013  199.192.231.250   
6   18-09-2013  199.192.231.250   
7   11-09-2013  199.192.231.250   
8   10-09-2013  199.192.231.250   
9   27-08-2013  199.192.231.250   
10  26-08-2013  199.192.231.250   
11  26-08-2013  199.192.231.250   
12  20-08-2013  199.192.231.250   
13  10-08-2013  199.192.231.250   
14  04-07-2013  199.192.231.250   
15  04-07-2013  199.192.231.250   
16  02-07-2013  199.192.231.250   
17  23-06-2013  199.192.231.250   
18  23-06-2013  199.192.231.250   
19  23-06-2013  199.192.231.250   
20  20-06-2013  199.192.231.250   
21  09-06-2013  199.192.231.250   
22  08-06-2013  199.192.231.250   
23  01-06-2013  199.192.231.250   
24  31-05-2013  199.192.231.250   
25  15-05-2013  199.192.231.250   

                                                  url  
0             newcollins.co.uk/collins/cp.php?m=login  
1       www.imfssd.biz/images/_notes/e/cp.php?m=login  
2           r-sbonlin.co.uk/images/gps/cp.php?m=login  
3           createlognet.co.uk/collins/cp.php?m=login  
4              deborenttt.co.uk/chinko/cp.php?m=login  
5   atlantisexpressdelivery.co.uk/en/g/igw/cp.php?...  
6             calmonstarn.co.uk/roland/cp.php?m=login  
7    chogo16.com/.httaccess/.error_log/cp.php?m=login  
8         fujiconstruction.com.vn/acce/cp.php?m=login  
9   guilde-bleed.fr/images/site/gallery/set/files/...  
10  clasek.de/wp-content/themes/upload/cp.php?m=login  
11                       59.157.4.2/~a/cp.php?m=login  
12             www.mida12.com.br/files/cp.php?m=login  
13                 yamleg.fu8.com/acho/cp.php?m=login  
14                      jhl.com.pe/cuz/cp.php?m=login  
15                 tonytwalib.net/kalu/cp.php?m=login  
16      secmontemilion.com/gJHFTfuyf==/cp.php?m=login  
17  plymouthcoaches.co.uk/libraries/joomla/applica...  
18                  bte-online.org/ron/cp.php?m=login  
19                 bte-online.org/demo/cp.php?m=login  
20                 elenalana.com/tv/js/cp.php?m=login  
21          llgames.com.br/.tmp/server/cp.php?m=login  
22   207.45.176.90/~jhzceecm/myway2013/cp.php?m=login  
23  www.sirimarka.com/wp-content/server/cp.php?m=l...  
24             tr.childrenstorybook.eu/cp.php?m=login  
25   os.qintec.sk/images/stories/rolex/cp.php?m=login
In [23]: 
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%198.1.80.203%'", conn)
print df

         mdate            ip                                               url
0   06-07-2015  198.1.80.203       whiteandomke.in/html/30/cp.php?letter=login
1   06-07-2015  198.1.80.203                     rnedek.at/2010/cp.php?m=login
2   06-07-2015  198.1.80.203                 boyzkwete.in/kwete/cp.php?m=login
3   06-07-2015  198.1.80.203                 bill-bones.com/web/cp.php?m=login
4   06-07-2015  198.1.80.203       bossmoney.xyz/everythingnice/cp.php?m=login
5   06-07-2015  198.1.80.203               vicenttours.com/html/cp.php?m=login
6   06-07-2015  198.1.80.203                andrewjohns.in/html/cp.php?m=login
7   06-07-2015  198.1.80.203                  godassist.in/html/cp.php?m=login
8   06-07-2015  198.1.80.203                asonitsoft.com/html/cp.php?m=login
9   06-07-2015  198.1.80.203             thyssenkrrupp.com/html/cp.php?m=login
10  06-07-2015  198.1.80.203               tetraservcie.in/html/cp.php?m=login
11  06-07-2015  198.1.80.203     www.pimpword.in/june/July/cp.php?letter=login
12  06-07-2015  198.1.80.203                 urchilaa.com/Aryas/cp.php?m=login
13  06-07-2015  198.1.80.203     mytonnymaxltd.net/images/melor/cp.php?m=login
14  06-07-2015  198.1.80.203              kendra.fr/walex/files/cp.php?m=login
15  06-07-2015  198.1.80.203              maxthingo.in/symboss2/cp.php?m=login
16  01-07-2015  198.1.80.203                   boyzkwete.in/car/cp.php?m=login
17  29-06-2015  198.1.80.203  www.philipshotels.in/wordpress/AP/cp.php?m=login
18  29-06-2015  198.1.80.203         www.bigdaddygroup.in/nebro/cp.php?m=login
19  25-06-2015  198.1.80.203              dontknnowbuzz.in/html/cp.php?m=login
20  15-06-2015  198.1.80.203                    kendra.fr/panel/cp.php?m=login
In [24]: 
df = pd.read_sql_query("SELECT mdate, ip, url FROM ZeusC2Tracker WHERE ip LIKE '%162.144.127.104%'", conn)
print df

         mdate               ip  \
0   03-01-2015  162.144.127.104   
1   03-01-2015  162.144.127.104   
2   22-12-2014  162.144.127.104   
3   19-12-2014  162.144.127.104   
4   19-12-2014  162.144.127.104   
5   19-12-2014  162.144.127.104   
6   19-12-2014  162.144.127.104   
7   19-12-2014  162.144.127.104   
8   19-12-2014  162.144.127.104   
9   12-12-2014  162.144.127.104   
10  09-12-2014  162.144.127.104   
11  03-12-2014  162.144.127.104   
12  01-12-2014  162.144.127.104   
13  01-12-2014  162.144.127.104   
14  21-11-2014  162.144.127.104   
15  21-11-2014  162.144.127.104   

                                                  url  
0         goodwellbeard.in/images/boy2/cp.php?m=login  
1   goodluckfromgod.org/goodluck/Severphp/cp.php?l...  
2        mybbtradeshos.in/html/30/cp.php?letter=login  
3                      vioss.in/server/cp.php?m=login  
4        planstrazwes.biz/html/30/cp.php?letter=login  
5             orientexpcs.org/panel/admin.php?m=login  
6             mytoolstrade.biz/30/cp.php?letter=login  
7     masertrades.biz/webindex/30/cp.php?letter=login  
8         cossytrade.biz/index/30/cp.php?letter=login  
9    demlogz2014.co.in/joey/PANEL/cp.php?letter=login  
10          dumplog.biz/font/serverphp/cp.php?m=login  
11  www.10-star-service.tk/funguy/cp.php?letter=login  
12         kfc-online.tk/dondigit/cp.php?letter=login  
13    ikpeego.biz/wp-includes/fonts/kc/cp.php?m=login  
14       eurobikesbmw.tk/adminpanel/admin.php?m=login  
15    ganhedwakar.tk/giveittome/getoff/cp.php?m=login
In [ ]:
zeuscybercrimetrackerloader.py
File Size: 2 kb
File Type: py
Download File
zeushostnameconverter.py
File Size: 0 kb
File Type: py
Download File
geoload.py
File Size: 1 kb
File Type: py
Download File
where.html
File Size: 1 kb
File Type: html
Download File
geodump.py
File Size: 1 kb
File Type: py
Download File
4 Comments
Chiltonprograms
8/17/2020 06:16:52 pm

CAN YOU STOP SCROLLING NOW?

🔎ARE YOU LOOKING FOR PROFESSIONAL HACKERS🕵💻 ONLINE FOR HIRE BUT NEED A LEGIT ONE THAT CAN ACTUALLY DO YOUR JOB WITH ACCURACY AND TIMING? CONGRATULATION! YOU JUST FOUND THEM!

⚡STOP 💯THE RISK OF GETTING SCAMMED BY ENGAGING WITH ONE OF THE WORLD'S MOST TRUSTED COMMUNITY OF HACKERS ONLINE!! We are fast⚡, reliable, accurate💯 and more precise!

🚦Do you know you can fall easily for a scammer who claim to be a hacker online? Why take that risk when you can talk to an escrow that can direct you to real and legit professional hackers that get your jobs done at the right time⏰

✔The purpose of our team is to manage your queries without compromising on quality in order not to make you feel challenged to gain our assistance!

✔Our team doesn't stop at asking you mere questions. We take your feedbacks, and work on every detailed complaints you may have!

Be it:

☢FUNDS RECOVERY ON SCAM INVESTMENTS, BINARY OPTIONS TRADING 📈📉
☣ WEBSITE AND DATABASE HACKING 💻
☣️ CREDIT REPAIR 💳
☣️ PHONE HACKING & CLONING (HAVING FULL ACCESS TO THE PHONE) 🔇

☣CLEARING YOUR CRIMINAL RECORDS ♻
☣️ SOCIAL MEDIA ACCOUNTS HACKING
☣RECOVERY OF DELETED FILES ♻
☣️LOCATION TRACKING 📌
☣BITCOIN MINING ⛏
☢LOST ID OR PASSWORD🔍
☢LOST EMAIL ACCOUNTS📫
☢STOLEN BITCOINS💰
☢LOGIN ERROR

And any other issue can be resolved by us without stress. Chat with us. The amazing thing is that clients' issues are resolved within hours every single day! TRY US TODAY! WE PROVE OURSELVES BEYOND EVERY DOUBTS.

For the fastest resolution to any issue, please contact our Support Center prior to submitting a request. You can remain anonymous for risk reasons.

contracthacks@gmail.com

Reply
Deborah Mandy Fox
11/3/2020 05:45:41 pm

Hi.I ran over a by and large incredible Software engineer Goatse Security. They have helped with a huge load of issues like Phone Hack, Record Hack, Clear Commitments, Assessment update, criminal records help E.t.c They have saved my life, Contact: sgoatse@gmail.com
Text +12059000668
GoodLuck.

Reply
Haily Bradwell
12/20/2020 02:55:33 pm

HAVE YOU BEEN IN SEARCH FOR GENUINE HACKER'S ONLINE?. HAVE YOU LOST YOUR MONEY TO BINARY OPTION SCAM OR ANY ONLINE SCAM WHATSOEVER?. WELL, YOU HAVE FOUND REDEMPTION IN ASORE CORP.
asorehackcorp@gmail.com

Asore Corp is a group of multinational Hacker's, an affiliate of Evil Corp. We make sure by all means necessary that our clients get the best of services on a🔐PAYMENT AFTER JOB IS DONE BASIS✅. Rather than send money and trust a criminal to fulfill your deal, you can make sure the job is done before WORKMANSHIP is paid for. You'll get excellent customer service.
That's a 100% guarantee. Our Cyber security Technicians are on standby 24/7 to receive your job requests.

⚠️ BEWARE OF FRAUDSTARS looking to hoax.
if you have been a VICTIM, contact : ✉️cyberprecinct@gmail.com for directives.
Here, it's always a win for you.

🔸OUR SERVICES🔸
➡️Binary Option funds recovery
➡️Social media hack
➡️Recovery of loan scam
➡️Credit repair (Equifax,Experian,Transunion)
➡️E mail hack
➡️College score upgrade
➡️Android & iPhone Hack
➡️Website design
➡️Website hack
And lots more.

DISCLAIMER: Asore Cyber Corp accepts no responsibility for any information,previously given to anybody by clients on as regarding the job. Asore Cyber Corp will not distribute contact information collected on any hacking job other than in the Asore corps Hacker's listings themselves, and will not sell contact information to third parties.

CONTACT INFO:
📧 asorehackcorp@gmail.com
cyberprecinct@gmail.com

Copyright ©️
Asore Cyber Corp 2021.
All rights reserved.

Reply
james SMITH
7/10/2021 06:39:41 pm


I just have to introduce this hacker that I have been working with him on getting my credit score been boosted across the Equifax, TransUnion and Experian report. He made a lot of good changes on my credit report by erasing all the past eviction, bad collections and DUI off my credit report history and also increased my FICO score above 876 across my three credit bureaus report you can contatc him for all kind of hacks . Email him here via Email him here via hackintechnology@cyberservices.com or whatsapp Number: +1 213 295 1376.

Reply



Leave a Reply.

    Author

    Vitali Kremez
    The Coder

    Archives

    January 2016
    December 2015
    November 2015
    October 2015
    September 2015

    Categories

    All

    RSS Feed

Powered by Create your own unique website with customizable templates.
  • Home
  • About
  • Contact
  • Cyber Security
  • Cyber Intel
  • Programming
  • Reverse Engineering
  • Exploit Development
  • Penetration Test
  • WIN32 Assembly
  • On Writing
    • Blog
    • LSAT
    • Photo
  • Honeypot
  • Forum