milfsdeasing.com (paradise ddos bot hosted by zevshost.net)

Resolved milfsdeasing.com to 192.102.6.130

Server: milfsdeasing.com
Gate file: /par/bfg.php

The bot is currently attacking a few websites related to stock and financial regulation.

POST /par/bfg.php HTTP/1.1
Host: milfsdeasing.com
User-Agent: PARADISE
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 10
status=get

HTTP/1.1 200 OK
Date: Thu, 12 Sep 2013 00:25:55 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze14
Vary: Accept-Encoding
Content-Length: 1484
Connection: close
Content-Type: text/html

clever=http://www.boiler-rooms.org/tokushima-worldwide/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/tokushima-worldwide/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/tokushima-worldwide/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/waytung-global/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/waytung-global/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/waytung-global/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/keizai-group/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/keizai-group/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/keizai-group/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/smo-fitzgerald-global/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/smo-fitzgerald-global/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/smo-fitzgerald-global/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/kyodo-securities/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/kyodo-securities/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/kyodo-securities/|$4$0$1$0$|
clever=http://reportfraudsonline.com/tokushima-worldwide/|$4$0$0$0$|
paradise=http://reportfraudsonline.com/tokushima-worldwide/|$4$0$0$0$|
clever=http://reportfraudsonline.com/gmo-global/|$4$0$0$0$|
paradise=http://reportfraudsonline.com/gmo-global/|$4$0$0$0$|
clever=http://www.mpllc.com/fraud-alerts|$5$0$1$0$|
slowpost=http://www.mpllc.com/fraud-alerts|$5$0$0$0$|
paradise=http://www.mpllc.com/fraud-alerts|$5$0$0$0$|
download=http://www.mpllc.com/fraud-alerts|$10$0$1$0$|

This is the second time I’ve seen a paradise botnet attacking anti-fraud resources.

Hosting infos: http://whois.domaintools.com/192.102.6.130

Related md5s (Searh on malwr.com to download samples)
Paradise bot:
2c8d020cc977e65079ee0437891b8e09

Categories: Uncategorized

Tags: paradise bot

Previous postcureit.pw (WordPress bruting botnet hosted by firstvds.ru)

Next postcureid.pw (pop3 bruteforcing botnet hosted by firstvds.ru)

xogogo.org (Paradise ddos botnet hosted by adman.com)

sweet1sfl.com (Paradise ddos botnet hosted by intermedia.md)

olikdfg12.net (Paradise ddos botnet hosted by webtropia.com)