IP Address Inspector

R.Heiner2 commented...

Referer + URL: /wp-content/plugins/wp-homepage-slideshow/readme.txt

UA: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/42.0.2311.152 Safari/537.36

Hostname: http://frasen.greunt.com
ASN: AS23033 Wowrack.com
ISP: Wowrack.com
Provider: WorldLink
Region: Seattle (US)

Server: Microsoft-IIS/8.5

Proxy Type: DCH

Listed spam.spamrats.com
Listed cbl.abuseat.org

remote Desktop

DNS Server = 192.5.6.30

Traceroute via IP 38.122.91.186 to Host be101.ccr41.ord03.atlas.cogentco.com = Cogent Communications
AS Number AS174 Cogent Communications - PSINet, Inc. (PSI-2)

CBL listed in Spamhaus: IP Address (209.90.225.116) is infected with or NATting for a computer infected by the Gozi botnet. Gozi is also known as Ursnif, Snifula and Papras.

GOZI is spyware that monitors network traffic.

This was detected by a TCP connection from "209.90.225.116" on port "63448" going to IP address "87.106.18.141" (the sinkhole) on port "80".

C&C name/Domain = feredei.com

IP 87.106.18.141 = ISP 1&1 Internet AG - Traceroute via Backbone Server to Host ae-10.r07.chcgil09.us.bb.gin.ntt.net = ISP NTT America

Website: feredei.com
Owner Country : Russian Federation
Website Location : Germany
Server: Hosting Service: 1&1 Internet AG
Registrar: 1&1 IONOS SE
Nameserver 31 IP: 87.106.190.165
Target : ns2.torpig-sinkhole.org
Country: Germany
December 11 2018 09:34 AM

R.S.6 commented...

Looking for vulnerability: /wp-content/plugins/wp-homepage-slideshow/readme.txt
I don't even use this.
December 11 2018 08:26 AM