milfsdeasing.com (paradise ddos bot hosted by zevshost.net)

Resolved milfsdeasing.com to 192.102.6.130

Server:  milfsdeasing.com
Gate file:  /par/bfg.php

The bot is currently attacking a few websites related to stock and financial regulation.

POST /par/bfg.php HTTP/1.1
Host: milfsdeasing.com
User-Agent: PARADISE
Content-Type: application/x-www-form-urlencoded
Connection: close
Content-Length: 10
status=get

HTTP/1.1 200 OK
Date: Thu, 12 Sep 2013 00:25:55 GMT
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze14
Vary: Accept-Encoding
Content-Length: 1484
Connection: close
Content-Type: text/html

clever=http://www.boiler-rooms.org/tokushima-worldwide/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/tokushima-worldwide/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/tokushima-worldwide/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/waytung-global/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/waytung-global/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/waytung-global/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/keizai-group/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/keizai-group/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/keizai-group/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/smo-fitzgerald-global/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/smo-fitzgerald-global/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/smo-fitzgerald-global/|$4$0$1$0$|
clever=http://www.boiler-rooms.org/kyodo-securities/|$4$0$1$0$|
slowpost=http://www.boiler-rooms.org/kyodo-securities/|$4$0$1$0$|
paradise=http://www.boiler-rooms.org/kyodo-securities/|$4$0$1$0$|
clever=http://reportfraudsonline.com/tokushima-worldwide/|$4$0$0$0$|
paradise=http://reportfraudsonline.com/tokushima-worldwide/|$4$0$0$0$|
clever=http://reportfraudsonline.com/gmo-global/|$4$0$0$0$|
paradise=http://reportfraudsonline.com/gmo-global/|$4$0$0$0$|
clever=http://www.mpllc.com/fraud-alerts|$5$0$1$0$|
slowpost=http://www.mpllc.com/fraud-alerts|$5$0$0$0$|
paradise=http://www.mpllc.com/fraud-alerts|$5$0$0$0$|
download=http://www.mpllc.com/fraud-alerts|$10$0$1$0$|

This is the second time I’ve seen a paradise botnet attacking anti-fraud resources.

Hosting infos: http://whois.domaintools.com/192.102.6.130

Related md5s (Searh on malwr.com to download samples)
Paradise bot: 
2c8d020cc977e65079ee0437891b8e09

Categories: Uncategorized