Server: 37.235.49.168
Port: 443
Channel: #test5
Channel password: :godlol
Topic for #test5 is: hacked by team whitehats
Topic for #test5 set by Sabu at Tue Apr 23 15:14:29 2013
Example bot nick: zwin-JJNEXJ|1952|
Opers:
[Sabu] (ryan@dildos): ryan
[Sabu] @#test5 @#opers @##fuckstamp #chats
[Sabu] irc1.molten-wow.com :mw_customer_ircd
[Sabu] is a Network Administrator
[Sabu] is available for help.
[Sabu] sysop
[Sabu] idle 16:59:16, signon: Tue Apr 23 08:50:34
[Sabu] End of WHOIS list.
[tflow] (hey@dildos): hhh
[tflow] #whatever @#ddd @#chats @#test5 @#opers
[tflow] irc1.molten-wow.com :mw_customer_ircd
[tflow] is a Network Administrator
[tflow] is available for help.
[tflow] is using a Secure Connection
[tflow] sysop
[tflow] idle 17:41:00, signon: Tue Apr 23 08:45:57
[tflow] End of WHOIS list.
Domains used for this ip in the past: fkn.ddos.cat
Hosting infos: http://whois.domaintools.com/37.235.49.168
Anonymous - April 25, 2013 at 1:16 am
looks to be a variant / update of the "zodiac" bot joe giron blogged about here:
http://www.gironsec.com/blog/2013/03/reversing-a-botnet/
we have 4 distinct samples hitting the fkn.ddos.cat site, none hitting the new one
Pig - October 8, 2013 at 10:54 pm
interessing post about this bot here: http://ri0t-control.blogspot.be/2013/10/zodiac-v010-part-ii.html