See: https://urlquery.net/report/7ae1f0f2-b3c7-491b-ac49-60d02687a91b
Phishing via cms/index.php Moved temporarily
/root/style/layout.css
/root/style/patches/patch_layout.css
website.php?id=/de/index.htm → https://aw-snap.info/file-viewer/?protocol=not-secure&tgt=www.inspectomation.de&ref_sel=GSP2&ua_sel=ff&fs=1
domain found on a ransomeware tracker flagged IP address: https://ransomwaretracker.abuse.ch/ip/83.169.22.79/
which was spreading Locky. Confirmed & listed: -http://vxvault.net/ViriList.php?IP=83.169.22.79
(Do not click on something in this link (I broke) as it can be dangerous).
P.S. These can easily be found: ##website.php?id=/de/index.htm text/html sid=10209qXXXXXXXdhtvdjajafpp6; path=/cms/website.php
& ##website.php?id=/en/index.htm text/html sid=hinicdfp6js2XXXXXXXmiv6kp4; path=/cms/website.php
abuse at -mx01.lembke-it-service.de with risk rating 1: https://toolbar.netcraft.com/site_report?url=http://mx01.lembke-it-service.de
polonus (volunteer website security analyst and website error-hunter)