| ▲ | dns_snek 3 days ago |
| The "port scan" just seems to be a local connection to 127.0.0.1:8888. I don't know what purpose it serves on this page, but our government websites often use this technique to communicate with native software for digitally signing documents. Are you seeing connection attempts to other IPs? |
|
| ▲ | junon 3 days ago | parent | next [-] |
| Might also be card readers, debug servers, etc. Could also be incompetence :D until I fixed it, deploying from my local machine rather than CD resulted in one of the baked in URLs being localhost rather than the public host on the project I'm working on now. Their local development server might just be at port 8888. Wouldn't surprise me. |
| |
| ▲ | dns_snek 3 days ago | parent [-] | | I looked at the website again and noticed that the request paths looked odd, one of them being `/400_random_url_with_numbers_403`. I googled that and it looks like it's part of a client-side bot detection script that's testing something, the explanation isn't very informative. https://my.f5.com/manage/s/article/K000138794 > These requests are caused by the bot profile to test the different browser capabilities. > 'http://127.0.0.1:xxxx' request is a call to the localhost/client machine, which is normal when trying to protect assets like end-server using ant-bot defense. It does not have any impact regarding application page load. |
|
|
| ▲ | tifkap 3 days ago | parent | prev [-] |
| This is most likely an attempt to connect to a webserver on your own device to collect data and/or do tracking. Remember back in June when Facebook/meta got caught tracking users trough a webserver on Android phone thought Messenger and Instagram? Same thing. See: https://news.ycombinator.com/item?id=44169115 and https://news.ycombinator.com/item?id=44175940 |
| |
| ▲ | dannyw 2 days ago | parent | next [-] | | Why do you say that’s most likely? This is a common pattern for connecting to smart cards / hardware security devices. Probably a service or hardware that’s run on official CBP machines that should be disabled for prod, but forgot. | | |
| ▲ | 77pt77 2 days ago | parent [-] | | This is by far the most likely reason. I personally use pages that authenticate via a smartcard using this exact scheme. There is a Java "plugin" that is nothing but a mini webserver that listens on a specific port and performs authentication. |
| |
| ▲ | darkwater 2 days ago | parent | prev [-] | | How are you so sure? |
|
