A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security service as a script inclusion by "customers" of theirs. They list some other sites that seem to use this. https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/ I still wonder what shenanigans illegitimate sites are using this for, since seemingly only Firefox seems possessing of the security features and capable of blocking it with uBlock Origin or like. -mb On Mon, May 25, 2020 at 11:21 PM Michael Butash wrote: > Far more interesting on that article breaking it down for sure. > > From what I gathered, it's a service Ebay uses, one owned by LexusNexus, > dba ThreatMatrix. Sounds like they figured out how to use hacker > techniques, and monetized it with some crafty sales folk to get into ebay, > banks, others. This is a big market, not surprised this is common as it's > been monetized by a somewhat sleazy company apparently. Funny that, > LexusNexus being mostly a search engine data repo for lawyers, the sleaze > continues. > > It didn't sound conclusive why it wasn't attacking linux. It didn't seem > to trigger the port scans, per them, even when they spoofed their user > agent as a windoze box. He concluded they were able to tell somehow it was > linux, but not sure how. They only go hunting for sheep(le). I might try > to reproduce. > > I tend to side with the fact they have a routine ala if windoze, > probe/infect/whatever. If mac, probe/infect, whatever. If linux, who > cares, it's probably ok. I found years ago M$ had something like this as > an ingestion formula for Office365 that caused only linux web clients to > suck/crash/just do bad things. It was technically chalked up as a "bug" > and fixed (causing office365 to finally actually work under linux), but we > all know better than that. Not surprised people do this for various user > agents and other meta recognition methods to *influence* behavior. > > It's that 1% linux desktop user thing, but hey, I'll hang out here and > watch the carnage they invoke upon Windows/Mac as market leaders. > > -mb > > > On Mon, May 25, 2020 at 9:28 PM der.hans wrote: > >> Am 25. May, 2020 schwätzte Michael Butash so: >> >> moin moin, >> >> >> Should we be insulted that they don't check for SSH? >> >> >> >> Ah, "According to Nullsweep, who first reported on the port scans, >> they do >> >> not occur when browsing the site with Linux." >> > >> > Probably more flattered about ssh - they know they're not getting >> anything >> > out of a linux system anyways. >> >> Could they? I thought there was a problem with JavaScript hitting >> localhost a couple years ago and this was blocked. >> >> One of the links in the original article points to a break-down of the >> code in question. I'm only about 1/3 of the way through the article, so I >> don't yet know how it ends. Spoilers are OK :). >> >> https://blog.nem.ec/2020/05/24/ebay-port-scanning/ >> >> As to script blocking below, yeah, other than security-curious people at >> conferences, I don't get much buy in. Kidling however is learning to work >> with it :). >> >> ciao, >> >> der.hans >> >> > Interesting on the second comment - didn't catch that. Wonder why/how >> > windoze allows this, but linux does not? And what about the mac users? >> > Now I'm even more curious. >> > >> > I feel a bit better knowing I'm protected since I don't use windoze for >> > anything but visio, but the other billion suckers still using windoze >> as a >> > main rig are screwed as usual. >> > >> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run >> any. >> > >> > I too use uBlock Origin, mostly for adware lists, but I use NoScript >> that >> > flat disallows sites unless whitelisted. It breaks all sorts of stuff >> > until whitelisted, but usually the ones that require me to whitelist >> more >> > than a few domains, I quickly close and forget about. It's pretty scary >> > going to big sites like various news outlets just how many domains their >> > javascripts are banging your browser with. I've seen upwards of 20-30 >> > foreign domains all attempting to track/probe you at times - those I >> close >> > quick, blacklist them all, and thank the fact I have script blocking >> > enabled. >> > >> > Trying to get others to use noscript or any sort of whitelist model is >> > tough, 99% of the time they don't want the inconvenience and end up >> turning >> > it off. I usually stop taking tech support calls or listening to >> whining >> > after that when they're infected yet again. >> > >> > -mb >> > >> > >> > On Mon, May 25, 2020 at 6:17 PM der.hans wrote: >> > >> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so: >> >> >> >> moin moin, >> >> >> >>> >> >> >> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/ >> >>> >> >>> This was a bit disturbing to read today. Ebay injects a few >> javascript >> >>> connections back to your requesting system, measures a basic socket >> >>> connection, telling them if the port is open or not, amounting to >> >>> effectively a local host port scan for specified ports, behind a >> >> firewall, >> >>> from a web page you visited. They are doing this looking for remote >> >> admin >> >>> applications in fact, rdp, vnc, teamviewer, many others. Hmm. >> >> >> >> Should we be insulted that they don't check for SSH? >> >> >> >> Ah, "According to Nullsweep, who first reported on the port scans, >> they do >> >> not occur when browsing the site with Linux." >> >> >> >> :) >> >> >> >>> So any public website can query any port from visiting a web page, and >> >>> possibly interact with any sort of local or other api on my system? >> >>> >> >>> I wouldn't think Javascript would be allowed to chain off a host like >> >> that, >> >> >> >> JavaScript can run bitcoin miners on your system. It can also attack >> and >> >> steal the credentials for your bitcoin account and thereby take all >> your >> >> coins. Plus there are the exploits of password browser plugins such as >> >> LastPass. >> >> >> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run >> any. I >> >> even remove the 1st party allowances for most of my browser instances. >> >> >> >> That does render some site totally unreadable. I ignore most of those. >> >> >> >> For some sites, I allow certain JavaScript. For instance, for >> >> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I >> have to >> >> allow google and recaptcha in order to checkout. Sometimes I just don't >> >> bother with the bundle as it's not worth the annoyance. >> >> >> >> For ebay, I have a separate browser instance as the site has lots of >> >> JavaScript. I generally just don't use ebay very much. I need to get >> >> better at running browsers out of containers and restricting their >> >> access. In fact, I might finally be in a position to try out qubes. >> >> >> >> ciao, >> >> >> >> der.hans >> >> >> >>> or at least have protections from certain abuse. I suppose it's >> valid if >> >>> linking to another site, but JS/Browsers allowing local random port >> use >> >>> like this, seems ebay is probably not the only ones to abuse this in >> >>> certain ways. I know you can do some interesting things with >> websockets, >> >>> seems chaining via same methods to remote interact would be trivial. >> >>> >> >>> This is pretty devious actually, I'm both a bit scared for ebay, not >> to >> >>> mention all the other sites I "trust", let alone the ones I don't. >> >>> Everyone else that just allows pervasively javascript is just hozed. >> >> Which >> >>> is standard for everyone since javascript existed. >> >>> >> >>> I use noscript pervasively, and whitelist only valid sites. Ebay is a >> >>> valid site, didn't think I had to protect myself, but how would you >> >> protect >> >>> against this? Curious also the take from web dev's on this, other >> than >> >>> thanks for the tip. :) >> >>> >> >>> -mb >> >>> >> >> >> >> -- >> >> # https://www.LuftHans.com https://www.PhxLinux.org >> >> # Boredom is self-inflicted...der.hans >> > >> >> -- >> # https://www.LuftHans.com https://www.PhxLinux.org >> # ... make it clear I support "Free Software" and not "Open Source", >> # and don't imply I agree that there is such a thing as a >> # "Linux operating system". - rms > >