See: https://www.virustotal.com/gui/url/765b0b6c899548ea0487b896abee5c612461184d54f29fd16c5d98c3125265b2/details
Detections on IP relations: https://www.virustotal.com/gui/ip-address/51.89.7.30/relations
Fortinet’s detection: https://urlquery.net/report/c7ae0cb3-42b1-4e70-b364-2c826e9d077c (malware)

Now hive.html been taken down? → https://sitecheck.sucuri.net/results/bitcoin-cash-generator.com/src/hive.html
https://aw-snap.info/file-viewer/?protocol=not-secure&ref_sel=GSP2&ua_sel=ff&chk-cache=&fs=1&tgt=Ylt0Xl1bbi1efHNoLWd7bnt9fHRdfS5eXW0%3D~enc
finding up: - < if​rame width=1 height=1 src=src/hive.html scrolling=no frameborder=0> < / if​rame >

Content that was returned by your request for the URL: -http://bitcoin-cash-generator.com/src/hive.html

1: < !DOCTYPE HTML PUBLIC “-//IETF//DTD HTML 2.0//EN”>
2: < html> < head>
3: < title> 404 Not Found< /title>
4: < /head> < body>
5: < h1> Not Found< /h1>
6: < p> The requested URL was not found on this server.< /p>
7: < p> Additionally, a 404 Not Found
8: error was encountered while trying to use an ErrorDocument to handle the request.< /p>
9: < /body> < /html>

polonus

XForce classified that IP has a botnet at one point. Detection was removed as of Sept 28, 2019 @ 8:48PM.

XFE >> https://exchange.xforce.ibmcloud.com/ip/51.89.7.30

@ Michael (alan1998),

Thanks for supporting that idea, the hive.html file has been removed.
So, does that mean without this file is that site more secure now?

Client Pull, CGI , Perl & Gzip trechnology, see https://toolbar.netcraft.com/site_report?url=-s81.fastserver.club
1 red out of 10 netcraft risk rate.
Ransomware IP address: -51.89.7.30
ransomwaretracker.abuse.ch
Associated Ransomware Infrastructure. The table below shows all Ransomware infrastructure that is associated with the IP address -51.89.7.30.
-fapplepie - AbuseIPDB User Profile
www.abuseipdb.com
-51.89.7.30, 24 Sep 2019. 51.89.7.30 - - - [24/Sep/2019:08:25:19 +0000] “GET /wp -login.php HTTP/1.1” 404 162 “-” "Mozilla/5.0 … show more51.89.7.30 …
-drharrymorganssdsolution.com (Black Money Scam) - Stop 419 …
-www.stop419scams.com
Sep 19, 2019 … wXw.drharrymorganssdsolution.com. Scam Domain - Read Scam Websites 51.89.7.30. Domain Name: -DRHARRYMORGANSSDSOLUTION.
-puritygem.xyz - URLhaus
-urlhaus.abuse.ch
Aug 15, 2019 … Firstseen (UTC), IP address, Hostname, SBL, ASN, Country, Active? 2019-08-15 21:44:04, 51.89.7.30,
-s81.fastserver.club, Not listed, AS16276 …
-unboamefinancebk.com (Fake Bank Fraud Scam) - Stop 419 Scams …

Quite some malware launched from that IP address: https://www.virustotal.com/gui/ip-address/51.89.7.30/relations

json

{
“asn”: “AS16276”,
“city”: “”,
“country”: “Germany”,
“country_code”: “DE”,
“hostname”: “s81.fastserver.club”,
“ip”: “51.89.7.30”,
“latitude”: 51.2993,
“longitude”: 9.491,
“organization”: “OVH SAS”
}

On that webserver Apache - Linux - unknown owner (PrivacyGuardian dot org shielded off):

OpenSSH 7.4 (protocol 2.0) fingerprint-strings: | FourOhFourRequest, HTTPOptions: Server: imunify360-webshield/1.7 protection, that can be closed through this malware, read: https://otx.alienvault.com/indicator/ip/94.73.151.100 Closed on Linux server: 443 header: HTTP/1.1 200 OK Date: Wed 10 Jul 2019 07:26:16 GMT Content Type: text/html Connection: close Server: imunify360 webshield/1.7 Expires: Wed 10 Jul 2019 07:26:15 GMT Cache Control: no cache

Interesting general details, isn’t it? :o

polonus (volunteer 3rd party cold recon website security analyst and website error-hunter)