5.199.167.219 (Citadel banking malware hosted by balticservers.com)

Gate file:  5.199.167.219/mode.php
Config droppers  (appear to be compromised sites)
shadowsfromlight.com/wp-content/upgrade/file.php
www.danainvestment.com/wp-content/upgrade/file.php
gregsmission.org/wp-content/upgrade/file.php
luna.pgnstudio.com/wp-content/upgrade/file.php

On gregsmission.org WP-Sentinel seems to have failed to stop the initial compromise, but is now preventing the dropper from functioning.

Sample is located here

http://whois.domaintools.com/5.199.167.219