Detecting Unauthorised Application Communication via NetMon
Recently, at home and in the office, I’ve been on quite the NetMon kick. The reason why I’ve been spending a lot of time in the tool is because we recently updated our enterprise offering and rebooted our freemium offering.
Being the tech geek that I am, I jumped at the opportunity to use a product at home that I’ve previously only been able to use in the workplace. Honestly it’s pretty cool. I get increased visibility and enterprise quality monitoring at home all for the price tag of free. Yes free.
Wait… did I mention it’s free? Grab it here or at LogRhythm.com.
Okay, shameless product pitch over. Now let me tell you about one of the cool things that I discovered after setting it up.
My home deployment of NetMon consists of running a local VM and pushing all my local traffic through for analysis.
I periodically perform system checks and when I last looked the newest item on the list indicated communication, from my PC, using MySQL, out to the Internet.
Thankfully NetMon can decode the application and show what user was using the offending app. With that information I was quickly able to see that the outbound traffic was from a login I didn’t recognize.
Click images to enlarge
Who is this jfgoulet guy?! Let’s investigate and drill into the specific session to see the specific application talking to the internet
Here is what I found inside the flow:
To reconstruct the Pcap, I set up a capture rule for mysql traffic and reopened Lua Edit 2010.
Bingo! Packet capture (pcap) acquired.
I quickly saw that the IP jfgoulet was connecting to (http://220.127.116.11/). So off I went to the IP. I discovered that it was FreeMysql.Net.
At the login screen, I attempted to use the captured credentials, but unfortunately they no longer worked. Too bad—I could have had a lot more fun.
Understanding What or Who is on Your Network
Knowing what or who is on your network at work and at home is all too important. Most engineers and developers have a horde of tools and applications installed to do their job. It’s not very often we ask ourselves what these are doing and what they are connecting to.
In this case, a local application—LuaEdit— was logging to remote MySQL server without request or permission. Without further analysis I can’t be sure why, but I would suspect LuaEdit was trying to log usage statistics, or potentially check some kind of license key.
As a result of my discovery, I’m now using Lua for Windows, which is far better. I’d say that is a success.