eBay is found scanning the computer ports of its visitors, without letting them know. While the actual reason is yet to be known, BleepingComputer thinks it’s for detecting the compromised systems, which are used by hackers to place fake orders.
The scan was done through a script that leverages the WebSockets, to connect to a localhost computer. Overall, it’s scanning over 14 ports that comprise mostly remote applications like TeamViewer, AnyDesk, etc.
The 14 Ports
This was first surfaced by Nullsweep, who tried in on browsers visiting eBay. They also determined that this scanning is ports is being done only on Windows machines, leaving out Linux and probably Macs. They had examined the scans done by it, and detected 14 ports exposed as below;
- 5900: VNC Port 1
- 5901: VNC port 2
- 5902: VNC port 3
- 5903: VNC port 4
- 5279: Anyplace Control
- 3389: Windows remote desktop
- 5931: Ammy Admin remote desktop
- 5939: TeamViewer
- 5944: TeamViewer
- 5950: Aeroadmin
- 6039: TeamViewer
- 6040: TeamViewer
- 7070: AnyDesk
- 63333: Called as unknown by BleepingComputer, but claimed as TrippLite power alert UPS by Nullsweep
Breaking down, VNC (Virtual Networking Computer) is a legitimate tool just as others, but actively exploited as a part of botnet forming. Other applications like AnyDesk, TeamViewer, Windows RDP, etc are softwares for remote working. All these can be exploited to get through the system and gain admin access if vulnerable. This is advantageous for launching DDoS attacks or stealing data for ransom later on.
On the other hand, as eBay being the trusted site, it’s believed by BleepingComputer to be scanning those ports to check if the host system is comprised or not. If it did, it can be used by hackers to place orders on behalf of actual customers and may use the card details if saved.