eBay is port scanning your system when you load the webpage

  • Thread starter ForgottenSeer 85179
  • Start date
F

ForgottenSeer 85179

Thread author
Reactions on Twitter and other social media sites are negative for the most part. Users criticize eBay for scanning ports at all, and for scanning ports of users who are not signed in to the site.
Have you been to eBay lately? The auction site is a popular destination to buy new and used items. It may surprise you that eBay is running a local port scan when you access the site in a browser.

I verified the port scan on ebay.com and ebay.de using built-in developer tools of several web browsers. It is likely that other eBay sites will also run the port scan.

ebay port scan


You can verify this easily. Use a browser such as Google Chrome, Firefox, Brave, Microsoft Edge or Vivaldi. Open a new Tab page and hit the F12 button to open the Developer Tools of the web browser. Switch to the Network tab in the Developer Tools and load the eBay website in the browser's address bar.

Wait for the page to load and look for 127.0.0.1 in the name in the list of connections. These are the scans that eBay performs when you connect to the site.

You can click on the connection to look up additional information; doing so reveals the port that is scanned by eBay. The scan is run by check.js, a JavaScript that is executed on eBay when users connect to the site. It uses WebSockets to perform the lookups on the local system using the specified port, and the scans occur regardless of sign-in state.

Bleeping Computer created a handy table that lists the ports:

ProgramEbay NamePort
UnknownREF63333
VNCVNC5900
VNCVNC5901
VNCVNC5902
VNCVNC5903
Remote Desktop ProtocolRDP3389
AeroadminARO5950
Ammyy AdminAMY5931
TeamViewerTV05939
TeamViewerTV16039
TeamViewerTV25944
TeamViewerTV26040
Anyplace ControlAPC5279
AnyDeskANY7070

Most of the ports are used by remote desktop applications such as VNC, Teamviewer, or Windows Remote Desktop. The eBay name is an abbreviation of the remote desktop software.

Nullsweep, the site that reported the issue first, discovered that the port scans were not run on Linux client systems.

ebay firefox port scan


It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
What you may do about it
If you don't want your systems to be port scanned by eBay whenever you connect to the site, you may be able to do something about it.
  1. Block the check.js script in a content blocker.
  2. In some browsers, e.g. Firefox, disable Web Sockets.
The eBay site loads the check.js script from the following URL currently: https://src.ebay-us.com/fp/check.js

The URL may change and it is different when you connect to localized eBay sites, e.g. eBay.de.

The other option, to disable WebSockets entirely, may lead to incompatibilities and loading issues on sites. Still, it is possible in Firefox by setting the parameter network.websocket.max-connections to 0.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,452
No websockets in Yandex (firewall and adguard disabled). Though the browser tries to connect via TCP Loopback, but no packets are sent.
 

Attachments

  • capture_05252020_145455.jpg
    capture_05252020_145455.jpg
    334.1 KB · Views: 245
  • capture_05252020_150100.jpg
    capture_05252020_150100.jpg
    273.5 KB · Views: 256

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I don't understand why they port scan based on remote access ports .
It is unclear why eBay is running the port scans. A likely explanation is that it is done to combat fraud, e.g. by taking over a computer, establishing a remote desktop connection and either making purchases on eBay, through fake auctions, or other means.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
Still these is extreme measures that will make eBay untrustworthy by many .
And it won't stop hackers .
They will just use regular networking ports in there rats to avoid abnormal behavior.
I agree. I'm waiting for an official response from ebay. It would be interesting to see what they say about it and whether they'll stop doing it or not.
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
I have that in my uBlock Origin i dont see ebay check.js :unsure:
Do you block third party scripts? By default I do so and you won't find this check.js in that case. I disabled third party script blocking for that site for testing only and then found the blocked script in log. In the log search "check" and you should find it.
 

CyberTech

Level 44
Verified
Top Poster
Well-known
Nov 10, 2017
3,247
i dont block it and i searched dont see ''check'' in the log in ublock origin i tried refresh ebay page no found ''check'' maybe ebay changed it
 

SeriousHoax

Level 47
Well-known
Mar 16, 2019
3,630
i dont block it and i searched dont see ''check'' in the log in ublock origin i tried refresh ebay page no found ''check'' maybe ebay changed it
It's still there. I just checked both on Firefox and Edge. I'm not sure why you're not seeing it in the log even with EasyPrivacy enabled.
Btw, on Firefox, to block it, EasyPrivacy is not required. Even the default filter lists can block it thanks to Firefox and uBlock Origin's ability to uncloak cname on Firefox. It's blocked via cname uncloaking of "online-metrix.net" present in "Peter Lowe’s Ad and tracking server list".
 

SumTingWong

Level 28
Verified
Top Poster
Well-known
Apr 2, 2018
1,706
Do you block third party scripts? By default I do so and you won't find this check.js in that case. I disabled third party script blocking for that site for testing only and then found the blocked script in log. In the log search "check" and you should find it.

I don't see it.
 
  • Like
Reactions: Cortex

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top