A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security service as a script inclusion by "customers" of theirs. They list some other sites that seem to use this.I still wonder what shenanigans illegitimate sites are using this for, since seemingly only Firefox seems possessing of the security features and capable of blocking it with uBlock Origin or like.-mbOn Mon, May 25, 2020 at 11:21 PM Michael Butash <michael@butash.net> wrote:Far more interesting on that article breaking it down for sure.From what I gathered, it's a service Ebay uses, one owned by LexusNexus, dba ThreatMatrix. Sounds like they figured out how to use hacker techniques, and monetized it with some crafty sales folk to get into ebay, banks, others. This is a big market, not surprised this is common as it's been monetized by a somewhat sleazy company apparently. Funny that, LexusNexus being mostly a search engine data repo for lawyers, the sleaze continues.It didn't sound conclusive why it wasn't attacking linux. It didn't seem to trigger the port scans, per them, even when they spoofed their user agent as a windoze box. He concluded they were able to tell somehow it was linux, but not sure how. They only go hunting for sheep(le). I might try to reproduce.I tend to side with the fact they have a routine ala if windoze, probe/infect/whatever. If mac, probe/infect, whatever. If linux, who cares, it's probably ok. I found years ago M$ had something like this as an ingestion formula for Office365 that caused only linux web clients to suck/crash/just do bad things. It was technically chalked up as a "bug" and fixed (causing office365 to finally actually work under linux), but we all know better than that. Not surprised people do this for various user agents and other meta recognition methods to *influence* behavior.It's that 1% linux desktop user thing, but hey, I'll hang out here and watch the carnage they invoke upon Windows/Mac as market leaders.-mbOn Mon, May 25, 2020 at 9:28 PM der.hans <PLUGd@lufthans.com> wrote:Am 25. May, 2020 schwätzte Michael Butash so:
moin moin,
>> Should we be insulted that they don't check for SSH?
>>
>> Ah, "According to Nullsweep, who first reported on the port scans, they do
>> not occur when browsing the site with Linux."
>
> Probably more flattered about ssh - they know they're not getting anything
> out of a linux system anyways.
Could they? I thought there was a problem with JavaScript hitting
localhost a couple years ago and this was blocked.
One of the links in the original article points to a break-down of the
code in question. I'm only about 1/3 of the way through the article, so I
don't yet know how it ends. Spoilers are OK :).
https://blog.nem.ec/2020/05/24/ebay-port-scanning/
As to script blocking below, yeah, other than security-curious people at
conferences, I don't get much buy in. Kidling however is learning to work
with it :).
ciao,
der.hans
> Interesting on the second comment - didn't catch that. Wonder why/how
> windoze allows this, but linux does not? And what about the mac users?
> Now I'm even more curious.
>
> I feel a bit better knowing I'm protected since I don't use windoze for
> anything but visio, but the other billion suckers still using windoze as a
> main rig are screwed as usual.
>
>> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any.
>
> I too use uBlock Origin, mostly for adware lists, but I use NoScript that
> flat disallows sites unless whitelisted. It breaks all sorts of stuff
> until whitelisted, but usually the ones that require me to whitelist more
> than a few domains, I quickly close and forget about. It's pretty scary
> going to big sites like various news outlets just how many domains their
> javascripts are banging your browser with. I've seen upwards of 20-30
> foreign domains all attempting to track/probe you at times - those I close
> quick, blacklist them all, and thank the fact I have script blocking
> enabled.
>
> Trying to get others to use noscript or any sort of whitelist model is
> tough, 99% of the time they don't want the inconvenience and end up turning
> it off. I usually stop taking tech support calls or listening to whining
> after that when they're infected yet again.
>
> -mb
>
>
> On Mon, May 25, 2020 at 6:17 PM der.hans <PLUGd@lufthans.com> wrote:
>
>> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
>>
>> moin moin,
>>
>>>
>> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
>>>
>>> This was a bit disturbing to read today. Ebay injects a few javascript
>>> connections back to your requesting system, measures a basic socket
>>> connection, telling them if the port is open or not, amounting to
>>> effectively a local host port scan for specified ports, behind a
>> firewall,
>>> from a web page you visited. They are doing this looking for remote
>> admin
>>> applications in fact, rdp, vnc, teamviewer, many others. Hmm.
>>
>> Should we be insulted that they don't check for SSH?
>>
>> Ah, "According to Nullsweep, who first reported on the port scans, they do
>> not occur when browsing the site with Linux."
>>
>> :)
>>
>>> So any public website can query any port from visiting a web page, and
>>> possibly interact with any sort of local or other api on my system?
>>>
>>> I wouldn't think Javascript would be allowed to chain off a host like
>> that,
>>
>> JavaScript can run bitcoin miners on your system. It can also attack and
>> steal the credentials for your bitcoin account and thereby take all your
>> coins. Plus there are the exploits of password browser plugins such as
>> LastPass.
>>
>> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any. I
>> even remove the 1st party allowances for most of my browser instances.
>>
>> That does render some site totally unreadable. I ignore most of those.
>>
>> For some sites, I allow certain JavaScript. For instance, for
>> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I have to
>> allow google and recaptcha in order to checkout. Sometimes I just don't
>> bother with the bundle as it's not worth the annoyance.
>>
>> For ebay, I have a separate browser instance as the site has lots of
>> JavaScript. I generally just don't use ebay very much. I need to get
>> better at running browsers out of containers and restricting their
>> access. In fact, I might finally be in a position to try out qubes.
>>
>> ciao,
>>
>> der.hans
>>
>>> or at least have protections from certain abuse. I suppose it's valid if
>>> linking to another site, but JS/Browsers allowing local random port use
>>> like this, seems ebay is probably not the only ones to abuse this in
>>> certain ways. I know you can do some interesting things with websockets,
>>> seems chaining via same methods to remote interact would be trivial.
>>>
>>> This is pretty devious actually, I'm both a bit scared for ebay, not to
>>> mention all the other sites I "trust", let alone the ones I don't.
>>> Everyone else that just allows pervasively javascript is just hozed.
>> Which
>>> is standard for everyone since javascript existed.
>>>
>>> I use noscript pervasively, and whitelist only valid sites. Ebay is a
>>> valid site, didn't think I had to protect myself, but how would you
>> protect
>>> against this? Curious also the take from web dev's on this, other than
>>> thanks for the tip. :)
>>>
>>> -mb
>>>
>>
>> --
>> # https://www.LuftHans.com https://www.PhxLinux.org
>> # Boredom is self-inflicted...der.hans
>
--
# https://www.LuftHans.com https://www.PhxLinux.org
# ... make it clear I support "Free Software" and not "Open Source",
# and don't imply I agree that there is such a thing as a
# "Linux operating system". - rms