Websites port scan computers for remote access programs

Discussion in 'other security issues & news' started by Surt, May 24, 2020.

  1. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    05/27 Update: Not just eBay as it turns out. I had the title changed from "eBay scans..." to "Websites scan..." Thanks moderator!

    "When visiting the eBay.com site, a script will run that performs a local port scan of your computer to detect remote support and remote management applications."

    https://www.bleepingcomputer.com/news/security/ebay-port-scans-visitors-computers-for-remote-access-programs/

    Sure does!
    ebayCheckJS-1.jpg

    ebayCheckJS-2.jpg
    AdGuard rule works:
    ||src.ebay-us.com/fp/check.js$domain=signin.ebay.com
     
    Last edited: May 27, 2020
  2. zapjb

    zapjb Registered Member

    Joined:
    Nov 15, 2005
    Posts:
    5,590
    Location:
    USA still the best. But barely.
    My BitDefender blocks attempts to connect on not to eBay.
     
  3. guest

    guest Guest

    eBay users spot the online auction house port-scanning their PCs. Um... is that OK?
    May 26, 2020
    https://www.theregister.co.uk/2020/05/26/ebay_port_scans_your_pc/
     
  4. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    Websites Conducting Port Scans - Schneier on Security
    https://www.schneier.com/blog/archives/2020/05/websites_conduc.html
    There's a bunch of relevant links within the article and the comments.
     
  5. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,957
    Location:
    USA
    Thanks, Surt. Interesting info on the site you linked. :thumb:
     
  6. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    I think eBay got the message as I'm not seeing the local port websocket scans as of today.

    I did verify CitiBank and I use citiretailservices.citibankonline.com where the scans occur even after I login and they reoccur for every page I navigate to like recent activity, profile, make payment (!) and finally the logged out confirmation page.

    The AdGuard rule
    ||citibankonline.com/fp/check.js$domain=citibankonline.com
    does the trick.

    But it seems check.js is the common denominator. I do see it in several of the handful of websites I've visited so far where the scans are not active.

    This kind of stuff is way over my pay grade and I use AdGuard's built in "block" feature.

    I'm wondering if a rule blocking check.js itself, even if I could figure that out, if that wouldn't break other things. "check.js" looks pretty generic.
     
  7. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    What does that mean? Does it stop the scans?
    Your You're welcome!
     
  8. guest

    guest Guest

    List of well-known web sites that port scan their visitors
    May 30, 2020
    https://www.bleepingcomputer.com/ne...nown-web-sites-that-port-scan-their-visitors/
     
  9. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,892
    Location:
    Slovenia, EU
  10. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,957
    Location:
    USA
    I read that port scan blocking in AdGuard is achieved by enabling the EasyPrivacy filter.
     
  11. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,892
    Location:
    Slovenia, EU
    It seems that it's the same list that blocks it in uBlock Origin.
     
  12. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    Thanks for the heads up on that.

    I verified the blocking works with EasyPrivacy in AdGuard's Firefox extension where their own privacy filter, AdGuard Tracking Protection, does not. Tested CitiBank and Ameriprise. Both filters dated June 8.

    As I reported in #6 for eBay, it seems Chick-fil-A and ESPN have dumped the scheme as well.

    Wish I had time to test some more. Cheers.
     
  13. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,957
    Location:
    USA
    More than welcome. Thanks for the thread!
     
  14. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,957
    Location:
    USA
    Yes, AdGuard's Chrome extension is where I am able to verify that the EasyPrivacy filter is enabled.
     
  15. Page42

    Page42 Registered Member

    Joined:
    Jun 18, 2007
    Posts:
    6,957
    Location:
    USA
    AdGuard Tracking Protection filter is not the same as the EasyPrivacy filter. In order to find EP filter in AdGuard for Windows 7.4.2, go to --> Settings / Ad Blocker / Installed filters / + Add a filter , which will load available filters, and you can select EasyPrivacy.
     
  16. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    For the time being I'm going to run a sized Developer Tools window next to Firefox while visiting financial, commerce and personal services websites as long as I'm depending on EasyPrivacy at this point in time, until hopefully a more comprehensive solution is developed.

    Unlikely, I believe, in that this hasn't generated as much excitement as the long-running persistent outrage over the CCleaner phone home atrocity. :eek: [/SARC]

    Note that sites can evoke the port scanning not on the home page, but when the user logs into their account.

    The tool is opened by hitting F12. (No doubt, Chrome has a similar feature.) Enabling the WS (websocket) filter in the toolbar keeps things simple.

    With a properly configured blocking solution, some as discussed here, the window will be blank and the status will read "No requests."

    PortScan4wilders.jpg
     
  17. Minimalist

    Minimalist Registered Member

    Joined:
    Jan 6, 2014
    Posts:
    14,892
    Location:
    Slovenia, EU
  18. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    I just caught that BC post in my RSS client. Thanks for posting it up, Minimalist. Just got done installing it in Firefox 77.0.1.

    I removed EasyPrivacy to give it a whirl and Behave! works as advertised.

    I like that it can be toggled off and on from within the icon's panel, Prefs. That's where one finds "Reset monitor data" to clear the data and remove icon's red flag as it doesn't reset itself when leaving the offending site.

    EasyPrivacy added again for Behave! to warn about sites that haven't yet been or won't/can't be added to the list.

    I can't find where the debug log gets written to. Don't have the time to scour its github site right now...
     
  19. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    EasyPrivacy is having difficulty in keeping up as of late.

    WildersPortScan.jpg

    I hope someone is working on a method to whack this ********.
     
  20. Surt

    Surt Registered Member

    Joined:
    Jan 23, 2019
    Posts:
    485
    Location:
    USA
    Google joins in on the fun. On the port 81, no less. This occurred while searching on an actress in Fear the Walking Dead if I thought I recognized her from The Walking Dead. (She was.) If I was actually searching for porn, I would not be using the browser setup wherein this occurred...

    Don't open nitrovideo at work or in polite company or in a family environment.

    GooglePortScan4wilders.jpg
     
    Last edited: Nov 9, 2020
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.