The scan was done through a script that leverages the WebSockets, to connect to a localhost computer. Overall, it’s scanning over 14 ports that comprise mostly remote applications like TeamViewer, AnyDesk, etc.
The 14 Ports
This was first surfaced by Nullsweep, who tried in on browsers visiting eBay. They also determined that this scanning is ports is being done only on Windows machines, leaving out Linux and probably Macs. They had examined the scans done by it, and detected 14 ports exposed as below;
5900: VNC Port 1 5901: VNC port 2 5902: VNC port 3 5903: VNC port 4 5279: Anyplace Control 3389: Windows remote desktop 5931: Ammy Admin remote desktop 5939: TeamViewer 5944: TeamViewer 5950: Aeroadmin 6039: TeamViewer 6040: TeamViewer 7070: AnyDesk 63333: Called as unknown by BleepingComputer, but claimed as TrippLite power alert UPS by Nullsweep
But Why?
Breaking down, VNC (Virtual Networking Computer) is a legitimate tool just as others, but actively exploited as a part of botnet forming. Other applications like AnyDesk, TeamViewer, Windows RDP, etc are softwares for remote working. All these can be exploited to get through the system and gain admin access if vulnerable. This is advantageous for launching DDoS attacks or stealing data for ransom later on. On the other hand, as eBay being the trusted site, it’s believed by BleepingComputer to be scanning those ports to check if the host system is comprised or not. If it did, it can be used by hackers to place orders on behalf of actual customers and may use the card details if saved. Via: BleepingComputer