A bit more on this, it does seem to be ThreatMatrix, LexusNexus' security
service as a script inclusion by "customers" of theirs. They list some
other sites that seem to use this.
https://www.bleepingcomputer.com/news/security/list-of-well-known-web-sites-that-port-scan-their-visitors/
I still wonder what shenanigans illegitimate sites are using this for,
since seemingly only Firefox seems possessing of the security features and
capable of blocking it with uBlock Origin or like.
-mb
On Mon, May 25, 2020 at 11:21 PM Michael Butash <
michael@butash.net> wrote:
> Far more interesting on that article breaking it down for sure.
>
> From what I gathered, it's a service Ebay uses, one owned by LexusNexus,
> dba ThreatMatrix. Sounds like they figured out how to use hacker
> techniques, and monetized it with some crafty sales folk to get into ebay,
> banks, others. This is a big market, not surprised this is common as it's
> been monetized by a somewhat sleazy company apparently. Funny that,
> LexusNexus being mostly a search engine data repo for lawyers, the sleaze
> continues.
>
> It didn't sound conclusive why it wasn't attacking linux. It didn't seem
> to trigger the port scans, per them, even when they spoofed their user
> agent as a windoze box. He concluded they were able to tell somehow it was
> linux, but not sure how. They only go hunting for sheep(le). I might try
> to reproduce.
>
> I tend to side with the fact they have a routine ala if windoze,
> probe/infect/whatever. If mac, probe/infect, whatever. If linux, who
> cares, it's probably ok. I found years ago M$ had something like this as
> an ingestion formula for Office365 that caused only linux web clients to
> suck/crash/just do bad things. It was technically chalked up as a "bug"
> and fixed (causing office365 to finally actually work under linux), but we
> all know better than that. Not surprised people do this for various user
> agents and other meta recognition methods to *influence* behavior.
>
> It's that 1% linux desktop user thing, but hey, I'll hang out here and
> watch the carnage they invoke upon Windows/Mac as market leaders.
>
> -mb
>
>
> On Mon, May 25, 2020 at 9:28 PM der.hans <PLUGd@lufthans.com> wrote:
>
>> Am 25. May, 2020 schwätzte Michael Butash so:
>>
>> moin moin,
>>
>> >> Should we be insulted that they don't check for SSH?
>> >>
>> >> Ah, "According to Nullsweep, who first reported on the port scans,
>> they do
>> >> not occur when browsing the site with Linux."
>> >
>> > Probably more flattered about ssh - they know they're not getting
>> anything
>> > out of a linux system anyways.
>>
>> Could they? I thought there was a problem with JavaScript hitting
>> localhost a couple years ago and this was blocked.
>>
>> One of the links in the original article points to a break-down of the
>> code in question. I'm only about 1/3 of the way through the article, so I
>> don't yet know how it ends. Spoilers are OK :).
>>
>> https://blog.nem.ec/2020/05/24/ebay-port-scanning/
>>
>> As to script blocking below, yeah, other than security-curious people at
>> conferences, I don't get much buy in. Kidling however is learning to work
>> with it :).
>>
>> ciao,
>>
>> der.hans
>>
>> > Interesting on the second comment - didn't catch that. Wonder why/how
>> > windoze allows this, but linux does not? And what about the mac users?
>> > Now I'm even more curious.
>> >
>> > I feel a bit better knowing I'm protected since I don't use windoze for
>> > anything but visio, but the other billion suckers still using windoze
>> as a
>> > main rig are screwed as usual.
>> >
>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
>> any.
>> >
>> > I too use uBlock Origin, mostly for adware lists, but I use NoScript
>> that
>> > flat disallows sites unless whitelisted. It breaks all sorts of stuff
>> > until whitelisted, but usually the ones that require me to whitelist
>> more
>> > than a few domains, I quickly close and forget about. It's pretty scary
>> > going to big sites like various news outlets just how many domains their
>> > javascripts are banging your browser with. I've seen upwards of 20-30
>> > foreign domains all attempting to track/probe you at times - those I
>> close
>> > quick, blacklist them all, and thank the fact I have script blocking
>> > enabled.
>> >
>> > Trying to get others to use noscript or any sort of whitelist model is
>> > tough, 99% of the time they don't want the inconvenience and end up
>> turning
>> > it off. I usually stop taking tech support calls or listening to
>> whining
>> > after that when they're infected yet again.
>> >
>> > -mb
>> >
>> >
>> > On Mon, May 25, 2020 at 6:17 PM der.hans <PLUGd@lufthans.com> wrote:
>> >
>> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
>> >>
>> >> moin moin,
>> >>
>> >>>
>> >>
>> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
>> >>>
>> >>> This was a bit disturbing to read today. Ebay injects a few
>> javascript
>> >>> connections back to your requesting system, measures a basic socket
>> >>> connection, telling them if the port is open or not, amounting to
>> >>> effectively a local host port scan for specified ports, behind a
>> >> firewall,
>> >>> from a web page you visited. They are doing this looking for remote
>> >> admin
>> >>> applications in fact, rdp, vnc, teamviewer, many others. Hmm.
>> >>
>> >> Should we be insulted that they don't check for SSH?
>> >>
>> >> Ah, "According to Nullsweep, who first reported on the port scans,
>> they do
>> >> not occur when browsing the site with Linux."
>> >>
>> >> :)
>> >>
>> >>> So any public website can query any port from visiting a web page, and
>> >>> possibly interact with any sort of local or other api on my system?
>> >>>
>> >>> I wouldn't think Javascript would be allowed to chain off a host like
>> >> that,
>> >>
>> >> JavaScript can run bitcoin miners on your system. It can also attack
>> and
>> >> steal the credentials for your bitcoin account and thereby take all
>> your
>> >> coins. Plus there are the exploits of password browser plugins such as
>> >> LastPass.
>> >>
>> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
>> any. I
>> >> even remove the 1st party allowances for most of my browser instances.
>> >>
>> >> That does render some site totally unreadable. I ignore most of those.
>> >>
>> >> For some sites, I allow certain JavaScript. For instance, for
>> >> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I
>> have to
>> >> allow google and recaptcha in order to checkout. Sometimes I just don't
>> >> bother with the bundle as it's not worth the annoyance.
>> >>
>> >> For ebay, I have a separate browser instance as the site has lots of
>> >> JavaScript. I generally just don't use ebay very much. I need to get
>> >> better at running browsers out of containers and restricting their
>> >> access. In fact, I might finally be in a position to try out qubes.
>> >>
>> >> ciao,
>> >>
>> >> der.hans
>> >>
>> >>> or at least have protections from certain abuse. I suppose it's
>> valid if
>> >>> linking to another site, but JS/Browsers allowing local random port
>> use
>> >>> like this, seems ebay is probably not the only ones to abuse this in
>> >>> certain ways. I know you can do some interesting things with
>> websockets,
>> >>> seems chaining via same methods to remote interact would be trivial.
>> >>>
>> >>> This is pretty devious actually, I'm both a bit scared for ebay, not
>> to
>> >>> mention all the other sites I "trust", let alone the ones I don't.
>> >>> Everyone else that just allows pervasively javascript is just hozed.
>> >> Which
>> >>> is standard for everyone since javascript existed.
>> >>>
>> >>> I use noscript pervasively, and whitelist only valid sites. Ebay is a
>> >>> valid site, didn't think I had to protect myself, but how would you
>> >> protect
>> >>> against this? Curious also the take from web dev's on this, other
>> than
>> >>> thanks for the tip. :)
>> >>>
>> >>> -mb
>> >>>
>> >>
>> >> --
>> >> # https://www.LuftHans.com https://www.PhxLinux.org
>> >> # Boredom is self-inflicted...der.hans
>> >
>>
>> --
>> # https://www.LuftHans.com https://www.PhxLinux.org
>> # ... make it clear I support "Free Software" and not "Open Source",
>> # and don't imply I agree that there is such a thing as a
>> # "Linux operating system". - rms
>
>
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.phxlinux.org
To subscribe, unsubscribe, or to change your mail settings:
https://lists.phxlinux.org/mailman/listinfo/plug-discuss
(text/plain)