IP Address Inspector

R.Heiner2 commented...

IP/Host shown: 37-115-184-19.broadband.kyivstar.net

1. URL.:/cms/wp-includes/wlwmanifest.xml
2. URL: /site/wp-includes/wlwmanifest.xml
3. URL: /wp/wp-includes/wlwmanifest.xml
4. URL: /wordpress/wp-includes/wlwmanifest.xml
5. URL: /blog/wp-includes/wlwmanifest.xml
6. URL: empty
7. URL: /xmlrpc.php?rsd
8. URL: /wp-includes/wlwmanifest.xml
9. URL: empty

UA: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36

ASN: AS15895 "Kyivstar" PJSC
ISP: Kyivstar GSM

port open: remote Desktop

DNS Server = 192.5.6.30

CBL listed in Spamhaus: This IP address is infected with, or is NATting for a machine infected with the "nymaim" malicious botnet. "nymaim" is also known as "Gamarue".

This was detected by a TCP connection from "37.115.184.19" on port "n/a" going to IP address "216.218.185.162" (the sinkhole) on port "80".

The botnet command and control domain for this connection was "mdlxl.com".

IP 216.218.185.162 =ISP Hurricane Electric(Backbone Server) - Traceroute to Host 100ge3-1.core1.sjc2.he.net - ISP Hurricane Electric San Jose via shadow server

Website: mdlxl.com
Website Location : United States
Probable website origin : 70% Germany 30% United States
IP Address: 216.218.185.162 United States
Hosting Service: Hurricane Electric
Hosting City: Ukiah
Hosting Region: CA
Hosting Postal: 95482
Registrar: Alibaba Cloud Computing (Beijing) Co., Ltd.
Nameserver IP: 87.106.86.28
Target : sc-d.sinkhole.shadowserver.org
Country: United States
December 27 2018 04:47 PM

T.Jarvis commented...

Probes for: /blog/wp-includes/wlwmanifest.xml
/cms/wp-includes/wlwmanifest.xml
/site/wp-includes/wlwmanifest.xml
/wordpress/wp-includes/wlwmanifest.xml
/wp-includes/wlwmanifest.xml
/wp/wp-includes/wlwmanifest.xml
/xmlrpc.php?rsd
Agent: "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"
December 14 2018 07:47 PM