74.54.82.222 - FP?

[daledoc1]

Hello:

Typed the following URL into my FF 3.6 browser: www.dallascityhall.com (have used this URL without issues for years - it's the main web portal for the City of Dallas).

Page did not load and got a blocked IP from MBAM Pro 1.44 for the following IP: 74.54.82.222.

Tried it on my other desktop and had the same results.

Just ran a quick scan, which was clean (as was scheduled scan at 05:00 this AM).

McAfee FW did not detect anything (and its overnight full scan was clean).

Browserdefender.com rates the site as safe.

Am about to scan with SuperAntispyware.

Thanks in advance,

daledoc1

[daledoc1]

Just called "311" (and waited FOREVER to get through).

Seems City of Dallas is "having problems with our online".

Although the operator was clueless about details, it seems they might have been hacked.

(Borne out by the fact that my email an hour ago to a City employee with whom I regularly exchange emails at the dallascityhall.com domain was returned with an inexplicable bounce message.)

Anyway, I'd be curious to learn about the IP range and any threats involved....

Thanks!

daledoc1

PS I guess I'll be paying my water bills by mail from now on.

[MysteryFCM]

The IP you reference is on a range with over 90 malicious sites at the last check (sadly, it's because of this that the entire range was blocked instead of just specific IP's).

[daledoc1]

Hmmm, that's SO WEIRD.

I'm not sure how to proceed.

But here is more follow-up info:

1) Several emails sent to folks I know at that domain *@dallascityhall.com in the past 2 days have bounced inexplicably (with a bounce message - "recipient address rejected").

2) However, my colleagues at work have sent emails to these same folks at the same email addresses with no bounce messages; not sure if they were received, as there has been no reply.

3) I have made no further attempts to browse to the www.dallascityhall.com website (too scared to try).

4) Scans of my computer with both MBAM Pro, SuperAS and my daily deep scan with McAfee are all clean.

5) McAfee FW has not detected anything, nor has MBAM Pro active protection.

6) I have not experienced anything that looks like browser hijacking/redirects or other strange behavior on either system.

The fact that the operator at Dallas City Hall yesterday confirmed they were having "problems" and the fact that it happened on 2 different computers (one of which had been powered off for days until I booted it to try the URL yesterday) suggest the problem is at their end.

Given the fact that they recently experienced problems with their online services (such as utility bill payment), does this suggest that they have been hacked?

But, do I need to do anything else here on either of the 2 computers that tried to access that URL yesterday?

For example, should I run HijackThis?

Can you please point me to detailed instructions about how to do this, especially running HJT in a Windows 7 (64-bit) environment?

Thanks much!

Ya'll are terrific!

daledoc1

[MysteryFCM]

In this particular instance, it's pretty safe to say the problem is their end, but if you'd like your machine to be checked, just to be safe, please refer to;

http://forums.malwarebytes.org/index.php?showtopic=9573

[daledoc1]

Well, the plot thickens.

It seems that someone at City Hall -- get this! -- overlooked paying the bill to renew their domain name.

So, they lost their rights to their domain name, which affected everything (website, email).

At least that's what they're saying.

They claim it has been resolved, but emails to my colleagues there are still bouncing.

I just got off the phone with someone who said he thinks "internal" emails from others within their department/domain are getting through, but not emails from outside domains/senders.

So, it's clearly not fixed.

I'm not enthusiastic about even attempting to navigate to the URL again until I know what's happening.

Anyway, what disturbs me is: why didn't I just get a "problem loading page" error or "page not found" error when I typed in the URL for the City Hall web site?

Why did I get a popup from MBAM Pro warning of a successful block of a malicious IP?

Does this suggest some sort of cyber security issue at their end that they are concealing, not a mere (hardly believable) "we forgot to pay the domain registration fee" problem?

Thanks!

daledoc1

PS Thanks for the cleaning link -- I'd skimmed it some time ago. Seems the process now starts with Defogger and GMER, not HJT?

I'll probably wait a while and rev up WinPatrol on one or both systems.

[MysteryFCM]

If they "lost" the domain due to their forgetting to renew it, then it's anyones guess as to what's going on at their end I'm afraid.

Malwarebytes AntiMalware' display of an IP being blocked on this range is coincidental, as it's nothing to do with the domain name in question (I'm not aware of any malicious content being present at dallascityhall.com and there certainly isn't any there at present (just checked it's source code)).

[daledoc1]

Thanks, Steven.

Their explanations seem more than a little hokey, if you ask me.

What was stranger still was that after getting the IP block popup from MBAM on 1 system, I booted up the other computer, typed in the same URL on my other system (also running MBAM Pro) and experienced the same exact issue, with the same bad IP range.

So, if it was a coincidence on the 1 computer, then I must have experienced 2 identical coincidences?

Well, who knows.

Something rotten in the state of Denmark (or the City of Dallas), to be sure.

Gonna steer clear for now.

Thanks for the help.

Will post back if anything relevant or noteworthy happens....

Cheers,

daledoc1