Ebay port scans your pc on every visit.

Michael Butash michael at butash.net
Mon May 25 23:21:34 MST 2020


Far more interesting on that article breaking it down for sure.

>From what I gathered, it's a service Ebay uses, one owned by LexusNexus,
dba ThreatMatrix.  Sounds like they figured out how to use hacker
techniques, and monetized it with some crafty sales folk to get into ebay,
banks, others.  This is a big market, not surprised this is common as it's
been monetized by a somewhat sleazy company apparently.  Funny that,
LexusNexus being mostly a search engine data repo for lawyers, the sleaze
continues.

It didn't sound conclusive why it wasn't attacking linux.  It didn't seem
to trigger the port scans, per them, even when they spoofed their user
agent as a windoze box.  He concluded they were able to tell somehow it was
linux, but not sure how.  They only go hunting for sheep(le).  I might try
to reproduce.

I tend to side with the fact they have a routine ala if windoze,
probe/infect/whatever.  If mac, probe/infect, whatever.  If linux, who
cares, it's probably ok.  I found years ago M$ had something like this as
an ingestion formula for Office365 that caused only linux web clients to
suck/crash/just do bad things.  It was technically chalked up as a "bug"
and fixed (causing office365 to finally actually work under linux), but we
all know better than that.  Not surprised people do this for various user
agents and other meta recognition methods to *influence* behavior.

It's that 1% linux desktop user thing, but hey, I'll hang out here and
watch the carnage they invoke upon Windows/Mac as market leaders.

-mb


On Mon, May 25, 2020 at 9:28 PM der.hans <PLUGd at lufthans.com> wrote:

> Am 25. May, 2020 schwätzte Michael Butash so:
>
> moin moin,
>
> >> Should we be insulted that they don't check for SSH?
> >>
> >> Ah, "According to Nullsweep, who first reported on the port scans, they
> do
> >> not occur when browsing the site with Linux."
> >
> > Probably more flattered about ssh - they know they're not getting
> anything
> > out of a linux system anyways.
>
> Could they? I thought there was a problem with JavaScript hitting
> localhost a couple years ago and this was blocked.
>
> One of the links in the original article points to a break-down of the
> code in question. I'm only about 1/3 of the way through the article, so I
> don't yet know how it ends. Spoilers are OK :).
>
> https://blog.nem.ec/2020/05/24/ebay-port-scanning/
>
> As to script blocking below, yeah, other than security-curious people at
> conferences, I don't get much buy in. Kidling however is learning to work
> with it :).
>
> ciao,
>
> der.hans
>
> > Interesting on the second comment - didn't catch that.  Wonder why/how
> > windoze allows this, but linux does not?  And what about the mac users?
> > Now I'm even more curious.
> >
> > I feel a bit better knowing I'm protected since I don't use windoze for
> > anything but visio, but the other billion suckers still using windoze as
> a
> > main rig are screwed as usual.
> >
> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run any.
> >
> > I too use uBlock Origin, mostly for adware lists, but I use NoScript that
> > flat disallows sites unless whitelisted.  It breaks all sorts of stuff
> > until whitelisted, but usually the ones that require me to whitelist more
> > than a few domains, I quickly close and forget about.  It's pretty scary
> > going to big sites like various news outlets just how many domains their
> > javascripts are banging your browser with.  I've seen upwards of 20-30
> > foreign domains all attempting to track/probe you at times - those I
> close
> > quick, blacklist them all, and thank the fact I have script blocking
> > enabled.
> >
> > Trying to get others to use noscript or any sort of whitelist model is
> > tough, 99% of the time they don't want the inconvenience and end up
> turning
> > it off.  I usually stop taking tech support calls or listening to whining
> > after that when they're infected yet again.
> >
> > -mb
> >
> >
> > On Mon, May 25, 2020 at 6:17 PM der.hans <PLUGd at lufthans.com> wrote:
> >
> >> Am 24. May, 2020 schwätzte Michael Butash via PLUG-discuss so:
> >>
> >> moin moin,
> >>
> >>>
> >>
> https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/
> >>>
> >>> This was a bit disturbing to read today.  Ebay injects a few javascript
> >>> connections back to your requesting system, measures a basic socket
> >>> connection, telling them if the port is open or not, amounting to
> >>> effectively a local host port scan for specified ports, behind a
> >> firewall,
> >>> from a web page you visited.  They are doing this looking for remote
> >> admin
> >>> applications in fact, rdp, vnc, teamviewer, many others.  Hmm.
> >>
> >> Should we be insulted that they don't check for SSH?
> >>
> >> Ah, "According to Nullsweep, who first reported on the port scans, they
> do
> >> not occur when browsing the site with Linux."
> >>
> >> :)
> >>
> >>> So any public website can query any port from visiting a web page, and
> >>> possibly interact with any sort of local or other api on my system?
> >>>
> >>> I wouldn't think Javascript would be allowed to chain off a host like
> >> that,
> >>
> >> JavaScript can run bitcoin miners on your system. It can also attack and
> >> steal the credentials for your bitcoin account and thereby take all your
> >> coins. Plus there are the exploits of password browser plugins such as
> >> LastPass.
> >>
> >> I use uMatrix to limit JavaScript. Most sites aren't allowed to run
> any. I
> >> even remove the 1st party allowances for most of my browser instances.
> >>
> >> That does render some site totally unreadable. I ignore most of those.
> >>
> >> For some sites, I allow certain JavaScript. For instance, for
> >> HumbleBundle I allow JS from HB, but also from Stripe. Sometimes I have
> to
> >> allow google and recaptcha in order to checkout. Sometimes I just don't
> >> bother with the bundle as it's not worth the annoyance.
> >>
> >> For ebay, I have a separate browser instance as the site has lots of
> >> JavaScript. I generally just don't use ebay very much. I need to get
> >> better at running browsers out of containers and restricting their
> >> access. In fact, I might finally be in a position to try out qubes.
> >>
> >> ciao,
> >>
> >> der.hans
> >>
> >>> or at least have protections from certain abuse.  I suppose it's valid
> if
> >>> linking to another site, but JS/Browsers allowing local random port use
> >>> like this, seems ebay is probably not the only ones to abuse this in
> >>> certain ways.  I know you can do some interesting things with
> websockets,
> >>> seems chaining  via same methods to remote interact would be trivial.
> >>>
> >>> This is pretty devious actually, I'm both a bit scared for ebay, not to
> >>> mention all the other sites I "trust", let alone the ones I don't.
> >>> Everyone else that just allows pervasively javascript is just hozed.
> >> Which
> >>> is standard for everyone since javascript existed.
> >>>
> >>> I use noscript pervasively, and whitelist only valid sites.  Ebay is a
> >>> valid site, didn't think I had to protect myself, but how would you
> >> protect
> >>> against this?  Curious also the take from web dev's on this, other than
> >>> thanks for the tip.  :)
> >>>
> >>> -mb
> >>>
> >>
> >> --
> >> #  https://www.LuftHans.com   https://www.PhxLinux.org
> >> #  Boredom is self-inflicted...der.hans
> >
>
> --
> #  https://www.LuftHans.com   https://www.PhxLinux.org
> #  ... make it clear I support "Free Software" and not "Open Source",
> #  and don't imply I agree that there is such a thing as a
> #  "Linux operating system". - rms
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20200525/791c1c46/attachment.html>


More information about the PLUG-discuss mailing list