security123

Level 20
Reactions on Twitter and other social media sites are negative for the most part. Users criticize eBay for scanning ports at all, and for scanning ports of users who are not signed in to the site.
Have you been to eBay lately? The auction site is a popular destination to buy new and used items. It may surprise you that eBay is running a local port scan when you access the site in a browser.

I verified the port scan on ebay.com and ebay.de using built-in developer tools of several web browsers. It is likely that other eBay sites will also run the port scan.

ebay port scan


You can verify this easily. Use a browser such as Google Chrome, Firefox, Brave, Microsoft Edge or Vivaldi. Open a new Tab page and hit the F12 button to open the Developer Tools of the web browser. Switch to the Network tab in the Developer Tools and load the eBay website in the browser's address bar.

Wait for the page to load and look for 127.0.0.1 in the name in the list of connections. These are the scans that eBay performs when you connect to the site.

You can click on the connection to look up additional information; doing so reveals the port that is scanned by eBay. The scan is run by check.js, a JavaScript that is executed on eBay when users connect to the site. It uses WebSockets to perform the lookups on the local system using the specified port, and the scans occur regardless of sign-in state.

Bleeping Computer created a handy table that lists the ports:

ProgramEbay NamePort
UnknownREF63333
VNCVNC5900
VNCVNC5901
VNCVNC5902
VNCVNC5903
Remote Desktop ProtocolRDP3389
AeroadminARO5950
Ammyy AdminAMY5931
TeamViewerTV05939
TeamViewerTV16039
TeamViewerTV25944
TeamViewerTV26040
Anyplace ControlAPC5279
AnyDeskANY7070

Most of the ports are used by remote desktop applications such as VNC, Teamviewer, or Windows Remote Desktop. The eBay name is an abbreviation of the remote desktop software.

Nullsweep, the site that reported the issue first, discovered that the port scans were not run on Linux client systems.

ebay firefox port scan


It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
What you may do about it
If you don't want your systems to be port scanned by eBay whenever you connect to the site, you may be able to do something about it.
  1. Block the check.js script in a content blocker.
  2. In some browsers, e.g. Firefox, disable Web Sockets.
The eBay site loads the check.js script from the following URL currently: https://src.ebay-us.com/fp/check.js

The URL may change and it is different when you connect to localized eBay sites, e.g. eBay.de.

The other option, to disable WebSockets entirely, may lead to incompatibilities and loading issues on sites. Still, it is possible in Firefox by setting the parameter network.websocket.max-connections to 0.
 

SeriousHoax

Level 28
Verified
Malware Tester
I don't understand why they port scan based on remote access ports .
It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
 

SeriousHoax

Level 28
Verified
Malware Tester
Still these is extreme measures that will make eBay untrustworthy by many .
And it won't stop hackers .
They will just use regular networking ports in there rats to avoid abnormal behavior.
I agree. I'm waiting for an official response from ebay. It would be interesting to see what they say about it and whether they'll stop doing it or not.
 

SeriousHoax

Level 28
Verified
Malware Tester
I have that in my uBlock Origin i dont see ebay check.js :unsure:
Do you block third party scripts? By default I do so and you won't find this check.js in that case. I disabled third party script blocking for that site for testing only and then found the blocked script in log. In the log search "check" and you should find it.
 

SeriousHoax

Level 28
Verified
Malware Tester
i dont block it and i searched dont see ''check'' in the log in ublock origin i tried refresh ebay page no found ''check'' maybe ebay changed it
It's still there. I just checked both on Firefox and Edge. I'm not sure why you're not seeing it in the log even with EasyPrivacy enabled.
Btw, on Firefox, to block it, EasyPrivacy is not required. Even the default filter lists can block it thanks to Firefox and uBlock Origin's ability to uncloak cname on Firefox. It's blocked via cname uncloaking of "online-metrix.net" present in "Peter Lowe’s Ad and tracking server list".
 

SumTingWong

Level 24
Verified
Do you block third party scripts? By default I do so and you won't find this check.js in that case. I disabled third party script blocking for that site for testing only and then found the blocked script in log. In the log search "check" and you should find it.
I don't see it.
 
Top