Ideally hopefully the last in this - https://www.bleepingcomputer.com/news/security/ublock-origin-ad-blocker-now-blocks-port-scans-on-most-sites/ Hopefully it devalues LexusNexus/ThreatMatrix as a junk product to be abandoned. Better find new exploits legal firm. -mb On Sun, May 31, 2020 at 6:12 PM Michael Butash wrote: > A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security > service as a script inclusion by "customers" of theirs. They list some > other sites that seem to use this. > > > https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/ > > I still wonder what shenanigans illegitimate sites are using this for, > since seemingly only Firefox seems possessing of the security features and > capable of blocking it with uBlock Origin or like. > > -mb > > > > On Mon, May 25, 2020 at 11:21 PM Michael Butash > wrote: > >> Far more interesting on that article breaking it down for sure. >> >> From what I gathered, it's a service Ebay uses, one owned by LexusNexus, >> dba ThreatMatrix. Sounds like they figured out how to use hacker >> techniques, and monetized it with some crafty sales folk to get into ebay, >> banks, others. This is a big market, not surprised this is common as it's >> been monetized by a somewhat sleazy company apparently. Funny that, >> LexusNexus being mostly a search engine data repo for lawyers, the sleaze >> continues. >> >> It didn't sound conclusive why it wasn't attacking linux. It didn't seem >> to trigger the port scans, per them, even when they spoofed their user >> agent as a windoze box. He concluded they were able to tell somehow it was >> linux, but not sure how. They only go hunting for sheep(le). I might try >> to reproduce. >> >> I tend to side with the fact they have a routine ala if windoze, >> probe/infect/whatever. If mac, probe/infect, whatever. If linux, who >> cares, it's probably ok. I found years ago M$ had something like this as >> an ingestion formula for Office365 that caused only linux web clients to >> suck/crash/just do bad things. It was technically chalked up as a "bug" >> and fixed (causing office365 to finally actually work under linux), but we >> all know better than that. Not surprised people do this for various user >> agents and other meta recognition methods to *influence* behavior. >> >> It's that 1% linux desktop user thing, but hey, I'll hang out here and >> watch the carnage they invoke upon Windows/Mac as market leaders. >> >> -mb >> >> >> On Mon, May 25, 2020 at 9:28 PM der.hans wrote: >> >>> Am 25. May, 2020 schwätzte Michael Butash so: >>> >>> moin moin, >>> >>> >> Should we be insulted that they don't check for SSH? >>> >> >>> >> Ah, "According to Nullsweep, who first reported on the port scans, >>> they do >>> >> not occur when browsing the site with Linux." >>> > >>> > Probably more flattered about ssh - they know they're not getting >>> anything >>> > out of a linux system anyways. >>> >>> Could they? I thought there was a problem with JavaScript hitting >>> localhost a couple years ago and this was blocked. >>> >>> One of the links in the original article points to a break-down of the >>> code in question. I'm only about 1/3 of the way through the article, so I >>> don't yet know how it ends. Spoilers are OK :). >>> >>> https://blog.nem.ec/2020/05/24/ebay-port-scanning/ >>> >>> As to script blocking below, yeah, other than security-curious people at >>> conferences, I don't get much buy in. Kidling however is learning to work >>> with it :). >>> >>> ciao, >>> >>> der.hans >>> >>> > Interesting on the second comment - didn't catch that. Wonder why/how >>> > windoze allows this, but linux does not? And what about the mac users? >>> > Now I'm even more curious. >>> > >>> > I feel a bit better knowing I'm protected since I don't use windoze for >>> > anything but visio, but the other billion suckers still using windoze >>> as a >>> > main rig are screwed as usual. >>> > >>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run >>> any. >>> > >>> > I too use uBlock Origin, mostly for adware lists, but I use NoScript >>> that >>> > flat disallows sites unless whitelisted. It breaks all sorts of stuff >>> > until whitelisted, but usually the ones that require me to whitelist >>> more >>> > than a few domains, I quickly close and forget about. It's pretty >>> scary >>> > going to big sites like various news outlets just how many domains >>> their >>> > javascripts are banging your browser with. I've seen upwards of 20-30 >>> > foreign domains all attempting to track/probe you at times - those I >>> close >>> > quick, blacklist them all, and thank the fact I have script blocking >>> > enabled. >>> > >>> > Trying to get others to use noscript or any sort of whitelist model is >>> > tough, 99% of the time they don't want the inconvenience and end up >>> turning >>> > it off. I usually stop taking tech support calls or listening to >>> whining >>> > after that when they're infected yet again. >>> > >>> > -mb >>> > >>> > >>> > On Mon, May 25, 2020 at 6:17 PM der.hans wrote: >>> > >>> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so: >>> >> >>> >> moin moin, >>> >> >>> >>> >>> >> >>> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/ >>> >>> >>> >>> This was a bit disturbing to read today. Ebay injects a few >>> javascript >>> >>> connections back to your requesting system, measures a basic socket >>> >>> connection, telling them if the port is open or not, amounting to >>> >>> effectively a local host port scan for specified ports, behind a >>> >> firewall, >>> >>> from a web page you visited. They are doing this looking for remote >>> >> admin >>> >>> applications in fact, rdp, vnc, teamviewer, many others. Hmm. >>> >> >>> >> Should we be insulted that they don't check for SSH? >>> >> >>> >> Ah, "According to Nullsweep, who first reported on the port scans, >>> they do >>> >> not occur when browsing the site with Linux." >>> >> >>> >> :) >>> >> >>> >>> So any public website can query any port from visiting a web page, >>> and >>> >>> possibly interact with any sort of local or other api on my system? >>> >>> >>> >>> I wouldn't think Javascript would be allowed to chain off a host like >>> >> that, >>> >> >>> >> JavaScript can run bitcoin miners on your system. It can also attack >>> and >>> >> steal the credentials for your bitcoin account and thereby take all >>> your >>> >> coins. Plus there are the exploits of password browser plugins such as >>> >> LastPass. >>> >> >>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run >>> any. I >>> >> even remove the 1st party allowances for most of my browser instances. >>> >> >>> >> That does render some site totally unreadable. I ignore most of those. >>> >> >>> >> For some sites, I allow certain JavaScript. For instance, for >>> >> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I >>> have to >>> >> allow google and recaptcha in order to checkout. Sometimes I just >>> don't >>> >> bother with the bundle as it's not worth the annoyance. >>> >> >>> >> For ebay, I have a separate browser instance as the site has lots of >>> >> JavaScript. I generally just don't use ebay very much. I need to get >>> >> better at running browsers out of containers and restricting their >>> >> access. In fact, I might finally be in a position to try out qubes. >>> >> >>> >> ciao, >>> >> >>> >> der.hans >>> >> >>> >>> or at least have protections from certain abuse. I suppose it's >>> valid if >>> >>> linking to another site, but JS/Browsers allowing local random port >>> use >>> >>> like this, seems ebay is probably not the only ones to abuse this in >>> >>> certain ways. I know you can do some interesting things with >>> websockets, >>> >>> seems chaining via same methods to remote interact would be trivial. >>> >>> >>> >>> This is pretty devious actually, I'm both a bit scared for ebay, not >>> to >>> >>> mention all the other sites I "trust", let alone the ones I don't. >>> >>> Everyone else that just allows pervasively javascript is just hozed. >>> >> Which >>> >>> is standard for everyone since javascript existed. >>> >>> >>> >>> I use noscript pervasively, and whitelist only valid sites. Ebay is >>> a >>> >>> valid site, didn't think I had to protect myself, but how would you >>> >> protect >>> >>> against this? Curious also the take from web dev's on this, other >>> than >>> >>> thanks for the tip. :) >>> >>> >>> >>> -mb >>> >>> >>> >> >>> >> -- >>> >> # https://www.LuftHans.com https://www.PhxLinux.org >>> >> # Boredom is self-inflicted...der.hans >>> > >>> >>> -- >>> # https://www.LuftHans.com https://www.PhxLinux.org >>> # ... make it clear I support "Free Software" and not "Open Source", >>> # and don't imply I agree that there is such a thing as a >>> # "Linux operating system". - rms >> >>