IP 18.104.22.168, an IP that belongs to Vrtservers.net, has been very active lately. The machine has been compromised twice in 30 days and does a multitude of scans. Last month I reported this IP to isc.sans.org and the machine was eventually taken offline (after waiting over two weeks). I reported it again this weekend when I noticed the IP was scanning against port 80 on my public server.
I've attempted to do some digging via Google but have found nothing solid, other than finding people's web stats highlighting this IP. This post's intention is to let people know that this IP has a history of being compromised.
Putting the IP into web-sniffer.net shows the following:
**I'll capture a screenshot when I can, as the Blogger console attempts to render the data as HTML**
That's not good. Using Links (a text-based browser that is good to use
when you're afraid to visit a webpage with IE or Firefox), the .txt files
appear to be IPs that are being harvested for further exploitation.
I'm thinking of reporting this IP to the US-CERT, since SANS isn't being