Recently, I was tipped off about certain sites performing localhost port scans against visitors, presumably as part of a user fingerprinting and tracking or bot detection. This didn’t sit well with me, so I went about investigating the practice, and it seems many sites are port scanning visitors for dubious reasons.
A Brief Port Scanning Primer
Port Scanning is an adversarial technique frequently used by penetration testers and hackers to scan internet facing machines and determine what applications or services are listening on the network, usually so that specific attacks can be carried out. It’s common for security software to detect active port scans and flag it as potential abuse.
Most home routers don’t have any open ports, so scanning an internet users IP address is unlikely to return any meaningful data. However, many users run software on their computer that listens on ports for various reasons – online gaming, media sharing, and remote connections are just a few things that consumers might install on a home PC.
A Port scan can give a website information about what software you are running. Many ports have a well defined set of services that use them, so a list of open ports gives a pretty good view of running applications. For instance, Steam (a gaming store and platform) is known to run on port 27036, so a scanner seeing that port open could have reasonable confidence that the user also had steam open while visiting the web site.
Watching Ebay Port Scan My Computer
In the past I have worked on security products that specifically worried about port scanning from employee web browsers. Attack frameworks like BeEF include port scanning features, which can be used to compromise user machines or other network devices. So, I wanted to be able to alert on any port scanning on machines as a potential compromise, and a site scanning localhost might trip those alerts.
On the other hand, it’s been reported on a few times in the past as banks sometimes port scan visitors, and I have heard Threat Matrix offers this as a customer malware detection check.
I was given the example of ebay as a site that includes port scanning, but when I initially navigated there I didn’t see any suspicious behavior. I thought they might use some heuristics to determine who to scan, so tried a few different browsers and spoofed settings, without any luck.
I thought it might be because I run Linux, so I created a new Windows VM and sure enough, I saw the port scan occurring in the browser tools from the ebay home page.
Looking at the list of ports they are scanning, they are looking for VNC services being run on the host, which is the same thing that was reported for bank sites. I marked out the ports and what they are known for (with a few blanks for ones I am unfamiliar with):
- 5900: VNC
- 5901: VNC port 2
- 5902: VNC port 3
- 5903: VNC port 4
- 3389: Windows remote desktop / RDP
- 5931: Ammy Admin remote desktop
- 5950: WinVNC
- 6039: X window system
- 6040: X window system
- 63333: TrippLite power alert UPS
- 7070: RealAudio
VNC is sometimes run as part of bot nets or viruses as a way to remotely log into a users computer. There are several malware services that leverage VNC for these purposes. However it is also a valid tool used by administrators for remote access to machines, or by some end user support software, so the presence of VNC is a poor indicator of malware.
Furthermore, when I installed and ran a VNC server, I didn’t detect any difference in site behavior – so why is it looking for it?
How Port Scanning with WebSockets Works
WebSockets are intended to allow a site to create bi-directional communication like traditional network sockets. This allows sites to periodically send information to a client browser without user interaction or front end polling, which is a win for usability.
When a web socket is configured, it specifies a destination host and port, which do not have to be the same domain that the script is served from. To do a port scan, the script only has to specify a private IP address (like localhost) and the port it wishes to scan.
WebSockets only speak HTTP though, so unless the host and port being scanned are a web socket server, the connection won’t succeed. In order to get around this, we can use connection timing to determine whether the port is open or not. Ports that are open take longer in the browser, because there is a TLS negotiation step.
You also might get different error messages. If you have python installed, try running the following to create a local web server running on port 8080:
python3 -m http.server 8080
> var s = new WebSocket("ws://127.0.0.1:8080") < undefined VM1131:1 WebSocket connection to 'ws://127.0.0.1:8080/' failed: Error during WebSocket handshake: Unexpected response code: 200 (anonymous) @ VM1131:1 >var s = new WebSocket("ws://127.0.0.1:8081") <undefined VM1168:1 WebSocket connection to 'ws://127.0.0.1:8081/' failed: Error in connection establishment: net::ERR_CONNECTION_REFUSED
Between error message introspection and timing attacks, a site can have a pretty good idea of whether a given port is open.
Port Scanning is Malicious
Whether the port scan is used as part of an infection or part of e-commerce or bank “security checks”, it is clearly malicious behavior and may fall on the wrong side of the law.
If you observe this behavior, I encourage you to complain to the institution performing the scans, and install extensions that attempt to block this kind of phenomenon in your browser, generally by preventing these types of scripts from loading in the first place.