1/43) Java exploit being distributed by 220.127.116.11 via injection attacks. One example is injected obfuscated code pointing to tualette.ce.ms/content/field.jar but there are probably lots of these. Currently only Sophos detects this as Exp/20100840-B.
Blocking all traffic to 18.104.22.168 is the quickest way to protect against this particular attack, it might be worth blocking 22.214.171.124/28 as in case this is a bad block.
The domains on 126.96.36.199 are a mix of crappy free domains, hijacked GoDaddy domains and a few others. I have identified the following sites, although I suspect there are many more: