Should IP link be blocked? - links to unwanted adware detected.

Re: http://urlquery.net/report.php?id=1492873616505 (with malware and also blacklisted).
On IP various domains with malware reported: https://cymon.io/5.149.255.113
See also this tool: https://totalhash.cymru.com/network/?ip:5.149.255.113/1460
Three to flag domain: https://www.virustotal.com/pl/url/e8410caab1d637cd9c671d9a15c25650a44263f09212abfb4452fbd4b43c24cc/analysis/1492875989/
According to Google Safebrowsing domain is unwanted: https://www.google.com/transparencyreport/safebrowsing/diagnostic/index.html#url=indissoluble.arease.ru

Outdated Web Server Nginx Found: nginx/1.4.2

Threat Name: Adware.Gen
Location: htxp://www.filenow.ru/vs/Voice_Changer_7.0.43_Diamond_Retail.rar

Threat Name: Direct Link To Adware.Gen
Location: htxp://indissoluble.arease.ru/QDXBkVVwxH etc. etc.

Insecurity: https://observatory.mozilla.org/analyze.html?host=indissoluble.arease.ru

Warning: WARNING: Found stealth name servers:
-ns1.installmonster.ru.
-ns2.installmonster.ru. SPF & DMARC on redundant dedicated servers (risk rating 1/10).

Warning:
Excessive server info proliferation detected: The address you entered is unnecessarily exposing the following response headers which divulge its choice of web platform:

Server: nginx/1.4.2
X-Powered-By: PHP/5.4.17
Configuring the application to not return unnecessary headers keeps this information silent and makes it significantly more difficult to identify the underlying frameworks.

HTTP only cookies: Warning

Requested URL: htxp://www.indissoluble.arease.ru/trace.axd | Response URL: htxp://www.indissoluble.arease.ru/trace.axd | Page title: 404 Страница не найдена | HTTP status code: 404 (Not found) | Response size: 2,435 bytes | Duration: 100 ms
Overview
Cookies not flagged as “HttpOnly” may be read by client side script and are at risk of being interpreted by a cross site scripting (XSS) attack. Whilst there are times where a cookie set by the server may be legitimately read by client script, most times the “HttpOnly” flag is missing it is due to oversight rather than by design.

Result
It looks like a cookie is being set without the “HttpOnly” flag being set (name : value):

PHPSESSID : ge11cqtiaub3iscrsmios1vv05
Unless the cookie legitimately needs to be read by JavaScript on the client, the “HttpOnly” flag should always be set to ensure it cannot be read by the client and used in an XSS attack.

Warning Clickjacking warning. Websites are at risk of a clickjacking attack when they allow content to be embedded within a frame. An attacker may use this risk to invisibly load the target website into their own site and trick users into clicking on links which they never intended to. An “X-Frame-Options” header should be sent by the server to either deny framing of content, only allow it from the same origin or allow it from a trusted URIs.

Result
It doesn’t look like an X-Frame-Options header was returned from the server which means that this website could be at risk of a clickjacking attack. Add a header to explicitly describe the acceptable framing practices (if any) for this site.

polonus (volunteer website security analyst and website error-hunter)