The user “Habra” noticed that the site of Rostelecom is scanning its computer. The provider explained this by fighting fraudsters

The site collects data on user activity under the pretext of security concerns.

The user “Habra” under the pseudonym force told how he accidentally discovered the scanning of local services on his computer by Rostelecom. As it turned out, the personal account of the provider constantly sends requests to the device and tries to secretly collect data.

According to force, he became suspicious when he saw that someone was trying to connect to port 5900. Usually it is used by the RFB protocol, intended for remote access to the desktop of the computer.

Someone from the local computer [user computer] is trying to get on port 5900, which means that it is a virus or something else worse. Of course, a cold sweat broke through me, and I went to look for this pest. A quick analysis showed that the churning goes every 10 minutes and 11 attempts are made to connect. It remains to find out who does it.


user “Habra”

The user has decided that once the connection is blocked, then you need to make sure that “someone is sitting” on it. To do this, he launched an “intelligent” TCP server on Node.js platform, which simply kept the connection using the “server.listen (5900, function () {});” command. As a result, it turned out that Firefox was trying to connect to the port.

Screenshot user “Habra” force

After that, force began to find out which tab or extension does, but the internal browser tools on the about: peformance and about: networking pages did not show the id of the process that made the network requests. Because of the large number of open pages, the Habra user could not find what he needed right away, but later he found a page that made requests — a personal account of Rostelecom.

console tab rostelecom making request
Screenshot user “Habra” force

As learned force, the site scanned at least 14 ports, each of which usually use different network protocols, programs or viruses.

What ports scanned personal account of Rostelecom

  • 5900 – VNC – Remote Desktop Access System using RFB protocol;
  • 6900 – BitTorrent – peer to peer file sharing protocol;
  • 5650 – usually uses Trojan Pizza;
  • 5931 – unknown;
  • 5938 – usually used by the program for remote control of the TeamViewer desktop;
  • 5939 – unknown;
  • 3389 – RDP – Remote Desktop Management Protocol, developed by Microsoft;
  • 8080 – HTTP – arbitrary data transfer protocol;
  • 51 – usually uses the Fuck Lamers Backdoor program, designed for remote surveillance, data collection and management of an infected computer;
  • 443 – HTTPS;
  • 22 – SSH – protocol for remote control of a computer using the command line;
  • 445 – SMB – network protocol for remote access to printers, files and other network resources;
  • 5985 – Microsoft Windows Remote Management – a service for remote management of client and server Windows.

Force decided that since most ports are designed for remote control of a computer, then we should expect attempts to penetrate these ports from the outside. He found several possible explanations for why Rostelecom scans these ports.

  • My account has been hacked, and an attempt is being made to find out the vulnerable computers and to push the Trojan to the user;
  • This is a conscious decision of Rostelecom and an attempt to harm the user;
  • This is a deliberate decision of Rostelecom and an attempt to collect user data.

After that, the user “Habra” under the pseudonym sashablashenkov suggested that Rostelecom uses a script to proactively track users from the Dynatrace company. And another user under the nickname runalsh clarified that this is the development of the Russian company Group-IB.

Later, force found the address of the script on the Rostelecom website. He noted that the code is obfuscated – this means that it was intentionally confused so that the script was harder to learn.

TJ turned to Group-IB for a comment, but the company advised them to contact Rostelecom directly. The press service of the provider said that the script is used as an antifraud system to prevent online fraud.

Ensuring the security of the services provided is one of the main priorities of Rostelecom. The anti-fraud system used in is one of its actions that analyzes the user session. At the same time, data on user activity is collected and indicators of user devices are compromised.

Rostelecom press service

Representatives of Rostelecom called port scanning one of the ways to prevent fraud, along with many others. The company noted that they began to use the antifraud system, because recently there have been frequent attempts at fraud with the personal accounts of subscribers and the company’s bonus programs.

The press service explained that one of the indicators of device compromise are open network ports that are used for remote access. Based on the port scan and analysis of the previous history of user actions, the company makes conclusions about possible threats to the subscriber profile.

Back to top button