Results of Lookup
154.0.168.251 is listed
This IP address was detected and listed 43 times in the past 28 days, and 8 times in the past 24 hours. The most recent detection was at Tue Apr 17 02:15:00 2018 UTC +/- 5 minutes
This IP address was self-removed 2 times in the past week.
This IP is infected (or NATting for a computer that is infected) with a botnet, most likely eitest.
This IP address is infected with or NATing for an infection of "Eitest". This IP address is probably a web server where one or more virtual hosts have been infected using an exploit kit (eg: angler, empire, RIG) using EItest protocols to download, install and operate malicious code, such as gootkit, dreambot, ramnit, vawtrak, cryptXXX - infostealers, ransomware etc. See the reference links for more details.
Note: As this is a web server compromise, only web administrators will be able to find and fix the infection. If this web site is a virtually hosted web site, please contact your administrators with this information.
For more information on this botnet, and mitigation strategies, please see:
EITest Description and analysis.
Malwarebytes Description and analysis
Securi - how to scan and clean websites
This was detected by observing this IP attempting to make contact to a "eitest" Command and Control server, with contents unique to "eitest" C&C command protocols.
This was detected by a TCP connection from "154.0.168.251" on port "47600" going to IP address "192.42.119.41" (the sinkhole) on port "80".
The botnet command and control domain for this connection was "c84c8098.com".
This detection corresponds to a connection at Tue Apr 17 02:18:44 2018 UTC (this timestamp is believed accurate to within one second).
