This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Wireshark hijacked?

0

I've been running Wireshark for relatively short (1-4 hrs) periods since downloading it several days ago to try to isolate some unauthorized activity on my Dell (in promiscuous mode). About an hour ago my firewall (Vipre) 'active connections' showed for the first time that Wireshark has established two outgoing connections through local ports 51201 and 51020, to 75.185.112.192 which appears to be the IP of Road Runner HoldCo LLC. Is this unusual, and do I need to set up a firewall rule for Wireshark?

Thanks!

papilio

asked 08 May '12, 14:43

papilio's gravatar image

papilio
1113
accept rate: 0%

edited 08 May '12, 15:28


One Answer:

1

1.) Did you download the Wireshark binary from the official site (www.wireshark.org)? Just to be sure, upload your version of the installation package AND (at least) wireshark.exe to virustotal.com.

2.) Create a SHA1 checksum (NOT MD5!) - search google for tools - and post the checksum, including the exact version of your Wireshark installation package here.

3.) How do you know it was wireshark that openend the connections? Does your desktop firewall show wireshark.exe as the responsible process?

4.) What's the destination port (to 75.185.112.192) and what's in those packets (after all your running a sniffer ;-))

Regards
Kurt

answered 08 May '12, 22:08

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 09 May '12, 11:34

Do you mean virustotal.com, not virtustotal.com? The latter is one of those strange, sometimes virus infected, search sites that comes up on misspelled URLs.

(09 May '12, 11:23) Ted

obviously :-) I asumed that virustotal is common knowledge. Anyway, I fixed spelling in my answer. Thanks!

(09 May '12, 11:33) Kurt Knochner ♦

Hi Kurt,

I downloaded from the 1.67 x64 installer from http://www.wireshark.org/download.html. That file's SHA1 is da39a3ee5e6b4b0d3255bfef95601890afd80709 according to simple checksum.exe. I just now downloaded a new copy, its SHA1 is 10a34637ad661d98ba3344717656fcc76209c2f8 ... neither of these matches what is shown on the signatures page on wireshark.org.

I'll need to get a clean installation file from a secure source, virtually every program on my PC has been taken over by the bot/hacker. In fact my entire OS appears to have been virtualized.

That connection hasn't shown up again since that instance so I'm not able to provide the other info which you requested, and I'm afraid I hadn't checked the particulars when it showed up ... still very new to this and haven't yet any idea what to make of the packet data.

I'll send the files to virustotal.com and post the reply.

None of my scans (Vipre, Malwarebytes, Housecall, ESET and others) ever comes up with anything malicious unfortunately.

Thanks for your reply!

papilio

(11 May '12, 03:33) papilio

Sorry, but are you sure you have computed the correct hashes? I just downloaded the installer you mentioned from http://www.wireshark.org/download

and the MD5 and SHA1 signatures match perfectly, specifically SHA1 being 70cdb6ee24bc9867d036da4bb91074cea1ecd467

(11 May '12, 03:46) Landi

sounds like your pc got owned. Maybe you should upload the binary to virustotal from a different pc, as you can't trust your system anymore. I also suggest to scan your pc with one of those "antivirus rescue CDs" (search google).

(11 May '12, 03:47) Kurt Knochner ♦

Landi, entirely possible that simple checksum.exe has been tampered with as well, but I'd not be surprised to find a newly downloaded wireshark binary file to already be corrupt by the time I can send it to the checksum app.

Kurt, you're absolutely correct, nothing on my PC can be trusted any more ... not even the 'online' scans I suspect, as they always require downloads and communication over the web.

Thanks, I'll try the rescue CD!

(11 May '12, 03:55) papilio

Looks like you're probably correct as well about the futility of sending to virustotal.com from here ... the installation binary came up clean, and there was an 'Analysis Failed!' message returned when I (twice) sent wireshark.exe.

(11 May '12, 04:03) papilio

Update ... virustotal.com attempt #3, immediately after posting my previous reply, went through and shows wireshark.exe as clean (FWIW).

(11 May '12, 04:10) papilio

@papilio

I've converted all your "answers" to comments, as that's how this site works, please read the FAQ for more info.

(11 May '12, 04:24) grahamb ♦

can you please upload your INSTALL package to http://depositfiles.com/ and post the download link here? I'm interested to analyze your (possibly) modified package.

(11 May '12, 07:48) Kurt Knochner ♦
showing 5 of 10 show 5 more comments