Port scanner in Rostelecom’s personal account

Today, I accidentally discovered that the personal account of Rostelecom is engaged in a completely harmful activity, namely, it scans local services on my computer. Since it’s almost impossible to get sane information from Rostelecom, I decided to point out this problem on Habré, so that habrovans would be aware that we can expect very dubious behavior even from large and serious players.

And now, the actual details.

When I got to work in the morning, I found some wonderful lines from VNC in the system log:

Connections: rejecting blacklisted connection: 127.0.0.1::22715

Those. someone from localhost trying to get on port 5900, then this is a virus or something else worse. Of course, a cold sweat broke through me, and I went to look for this pest. A quick analysis showed that the churning goes every 10 minutes and 11 attempts are made to connect. It remains to find out who does it.
')
Once the connection is blocked, you need to make sure that someone is sitting on it. The easiest way for me was to raise an intelligent tcp-server on a node that does nothing and just keeps the connection.

 server.listen(5900, function () {}); 

I looked at who connected there, it turned out that it was Firefox:



Then I went to find out which of the tabs or firefox extensions it does. It turned out that neither about: peformance, nor about: networking do not show the process id that can make network requests. But I found out that this is the main process of the browser, and not additional for tabs or extensions, which made it difficult to ascertain the pest (yes, I have a lot of tabs, as always, and finding the right one is hard enough).

But with the help of patience, I found a wonderful tab, in the developer console of which there were wonderful lines:



And this tab was Personal Account of Rostelecom. After that, it turned out that the requests are of the following form:



14 enough interesting ports:

Most ports are tools for remotely controlling a computer. It turns out that further we should expect attempts to penetrate these ports from the outside. Why can it be?

I have the following options in my head:

1. My account has been hacked and an attempt is being made to find out the vulnerable computers and set the Trojan user on
2. This is a conscious decision of Rostelecom and an attempt to do something bad to the user.
3. This is a deliberate decision of Rostelecom and an attempt to collect user data.

In this case, my computer is not in the network of Rostelecom, so that these actions look very, very dirty.

UPD: Supplement from sashablashenkov

Judging by this page, this is some kind of Dynatrace Real user monitoring

If you are a customer, go through every digital transaction. No sampling of data, Dynatrace gives you a complete picture, from the frontend to the backend.
Monitor user journeys
Replay individual customer transactions for rapid problem handling
Dynatrace provides a single problem notification
Identify and resolve technical issues proactively

But why does it scan ports - do not understand

UPD2: runalsh clarified that this is not Dynatrace, but group-ib

More details. The script is located at:

https://lk.rt.ru/ruxitagentjs_ICA2SVfhqrux_10169190521113456.js

Those. these are not some external counters or analytics, but their own script.

This script has been obfuscated and the function that accesses ports looks something like this:

 Aa: function () { var a = this.Tg(); this.Qh(a); for (var e = 0; e < this.Ye.length; e++) (function (c, f) { if (!dFN(f.Gg, c) || !dTjh() || dTwb() || dTdc()) { var e = (new Date).getTime(), g = dDmb(Oa(1939), window.location[Ma(1402)] + $e(1358) + c), k; g.then(function () { clearTimeout(k); f.Ec(c, ua(1117), (new Date).getTime() - e, a) }).then(void 0, function () { clearTimeout(k); f.wc[c] ? delete f.wc[c] : f.Ec(c, Lb(1430), (new Date).getTime() - e, a) }); k = G(function () { f.wc[c] = !0; g.te().abort(); f.Ec(c, Mc(1251), (new Date).getTime() - e, a) }, f.$e || 10000) } }) (this.Ye[e], this) }, 

In the Ye array, it contains 14 ports of data, which is initialized in this way:

 this.Ye = b[Uh(1218)]; 

Those. besides minification, in Rostelecom they also added obfuscation, which means they suspected that they were doing something that was not very good, and we should hide it.

What to do next, I do not know. It is clear that it is necessary to configure browsers to protect against this (surprisingly, for some reason, Firefox missed port 5900, although it decided to block others). It makes no sense to write at Rostelecom, because the answers they have are always of the same type and do not differ in some rationality.

But everyone else knows that port scanning can be not only on suspicious sites, but also such decent ones as Rostelecom.

Rostelecom answer :

The press service of Rostelecom reported that the script is used as an “antifraud system to prevent online fraud” by analyzing the user session. This system actually collects data on user activity and looks for "indicators of the compromise of their devices."

The company explained that the anti-fraud system had to be introduced due to the recent attempts at fraud in respect of personal accounts of subscribers and bonus programs of Rostelecom.