A little while back, one of our web clients was hacked. I cleaned up but apparently missed a payload. I found a few connections from 18.104.22.168 which is actually in Ukraine but the domain is layershift.ru. I removed the payload but may bomb the site anyway.
The moral is "there is no moral".