[ 3 / biz / cgl / ck / diy / fa / g / ic / jp / lit / sci / tg / vr / vt ] [ index / top / reports / report a bug ] [ 4plebs / archived.moe / rbt ]

/vt/ is now archived.Become a Patron!

/g/ - Technology

View post   

[ Toggle deleted replies ]
File: 58 KB, 500x500, 1496132734041.jpg [View same] [iqdb] [saucenao] [google] [report]
61017968 No.61017968 [Reply] [Original] [archived.moe] [rbt]

4chan makes a websocket connection to a.ekansovi.com

I haven't looked at what it sends/receives, anyone know?

I blocked it in my hosts file to be safe

pic unrelated

>> No.61018193


>> No.61018387
File: 4 KB, 208x206, 1483749598115.jpg [View same] [iqdb] [saucenao] [google] [report]

Stop telling lies on anonymous imageboards

>> No.61018408

What is he lying about, varg?

>> No.61018427
File: 348 KB, 1814x940, 1480456729982.png [View same] [iqdb] [saucenao] [google] [report]

hello Ekansovi

>> No.61018476


>> No.61018482

I heard it was that Jordan tripcunt from here who trolled the 4chan app maker into adding it.
Too lazy to find the thread about it though, something about obfuscation and coffee scripts

>> No.61018483

I don't have it. You must have adware or some shit installed.

>> No.61018499
File: 43 KB, 1365x663, websocket.png [View same] [iqdb] [saucenao] [google] [report]

forgot pic

>> No.61018530

Sounds halfway right. the connection code is heavily obfuscated. 4chans javascript or some third party? I'm using 4chan-X
do you use 4chan-X?

>> No.61018540


>> No.61018716

you must have s.4cdn.org blocked which is providing the script

>> No.61018757
File: 15 KB, 1747x217, 2017-06-21 19_39_07-(0) _g_ - a.ekansovi.com - Technology - 4chan.png [View same] [iqdb] [saucenao] [google] [report]

yea deffo odd

>> No.61018762
File: 30 KB, 533x418, umatrix.png [View same] [iqdb] [saucenao] [google] [report]


>> No.61018785

all of the connection code is obfuscated

meant to specify script connections, but yea. explains that

unfortunately chrome websocket debugging doesnt show binary payloads, and sniffing with wireshark would require me to decrypt packets manually. so unless someone wants to reverse the obfuscated code, who knows what its sending/receiving

>> No.61019311


Not him, are you guys talking about
>Use Faster Image Host: Change is*.4chan.org links to point to the faster i.4cdn.org host.
In 4chan-X?
I enabled it in the setting and not blocking it also got no all of this evan bullshitery.

>> No.61019383

Here's an analysis of it I did for /g/sec. (There are also links to deobfuscated stuff in there)

>> No.61021784

Normie here. Can anyone tell me in layman's terms what exactly sort of information this is collecting? Also, is removing it as simple as blocking the URL in ublock / hosts and clearing my browser cache / cookies?

>> No.61021908

>Can anyone tell me in layman's terms what exactly sort of information this is collecting?
We don't know, it's either an ad agency hiromoot contacted trying to bypass ad blockers using various methods, or the NSA/Illuminati/FBI backtracking you

>as simple as blocking the URL in ublock
not really; in latest Chromium, even if uBlock Origin is able to access the websockets api in that browser there are still attempts to exploit the browser/ad blocker via webrtc, so you'll likely need uBO-extra 2.25 (with a special "defuse" rule for 4chan, now added to a list of rogue websites)
In firefox you've better disable WebRTC completely, still you'll see ekansovi.com references in uBlock Origin AND uMatrix even if you keep them both installed (one will block an https connection to ekansovi, the other one will block a wss); the about:webrtc page isn't detailed as in Chromium anyway it won't appear anything if you disabled all those media.peerconnection in about:config (if you're total normie, use an extension like "Privacy Settings" and disable everything under "Media")

adding this ekansovi to your hosts file should always work

>> No.61021939

>I blocked it in my hosts file to be safe

The only reasonable action to do with the websocket faggotry, besides using a websocket disabler addon.

>> No.61021966


>> No.61022088
File: 137 KB, 452x846, 1498117524485.png [View same] [iqdb] [saucenao] [google] [report]

>looks like some analytics for ad clicking
Who clicks ads on 4chan anyway? Sounds utterly pointless.

>> No.61023630
File: 221 KB, 562x849, Screenshot_20170620_111825.png [View same] [iqdb] [saucenao] [google] [report]

very bad

>> No.61026391

Strange no listings here too

>> No.61026830
File: 1.58 MB, 1280x1024, Lola_Bunny_Wallpaper.png [View same] [iqdb] [saucenao] [google] [report]

Crazy retard Lola > classic Lola

>> No.61026914

New Lola is best Lola.

>> No.61027313

We've had hardware backdoors since at least 2009.
Get used to it, 4chan lost its anonimity long ago.

>> No.61027819


a websocket connection is what you would use when you need to stream data.

They already know exactly what pages you are visiting and exactly what you post, so it isn't that.

they could be using our connection to mine buttcoins

>> No.61028454


>> No.61028503

Check ublock behind the scenes

>> No.61028576
File: 28 KB, 524x306, Egg of Ekans.png [View same] [iqdb] [saucenao] [google] [report]

Is there a pattern to when ekansovi appears and when it doesn't? For me it shows up randomly and continues to be requested on every thread I enter for a random amount of time. And then it vanishes.
The board I'm on, the thread I'm in, the number of posts I make, it doesn't seem to have any effect.
I may be mistaken, but it seem way more likely to appear if I go on other sites. It appeared instantly after I went on Pinterest to see if it would trigger anything back here.

>> No.61028577
File: 157 KB, 720x1080, 1498014160746.jpg [View same] [iqdb] [saucenao] [google] [report]


it's probably nothing you paranoid autist

>> No.61028591

it uses WebRTC for that purpose, read the (archived) thread.

>> No.61028600

What the fuck happened to the other thread. I was just in it.

>> No.61028601
File: 114 KB, 1069x673, not blocking ekansovi.png [View same] [iqdb] [saucenao] [google] [report]

Why arent you blocking it?

>> No.61028613

That's not enough. Read the archived thread.

>> No.61028658
File: 22 KB, 450x300, huma crying2 28-10-2016.jpg [View same] [iqdb] [saucenao] [google] [report]

>it's probably nothing


>> No.61028693


Do you have the cookie then?

>> No.61028713

Follow the steps in >>61027267
if you're using only uMatrix (why? cosmetic filtering is sorely needed) then you have to disable WebRTC entirely. If you're on Chromium, you can't disable WebRTC entirely and you need uBO-extra (and therefore uBO).

>> No.61028950

I know, but I'm not as concerned with blocking it as I am about learning what it is.

>> No.61029715

ekans is snake backwards

>> No.61029937

I'm running Safari on my laptop... I've uBlock Origin installed, and the dev console gives me an error saying: WebSocket network error: The operation couldn’t be completed. Connection refused

AFAIK Safari doesn't even support WebRTC.

Am I safe?

>> No.61030005

So just blocking ekansovi in my host file should sort this shit out right?

>> No.61030015

Snakes in literature often represent penis.

>> No.61030033


And chaos

>> No.61030065

You should be safe if there is no webTRC
No, you need to block the sub domain as well.

Link for others who don't know how.

>> No.61030158


Oright cheers

>> No.61030192

How do i know if i blocked it?

>> No.61030277

wireshark packet by packet analysis

>> No.61030329

Yes Jordan, they do.

>> No.61030359


no need to thank me

>> No.61030370

Do Linux systems have something equivalent to the Windows Host file?

>> No.61030395


You dont need to do all this though

>> No.61030404

Please give a more detailed walk-through for the noobs anon-kun~

>> No.61030505

>'My Rules' Tab
* wss://a.ekansovi.com websocket block
* wss://ekansovi.com websocket block
Just two lines and done. Make sure you have uBlock Extra installed for chrome based and disable webRTC on Firefox.

>> No.61030523

Also make you you press save and commit.

>> No.61030564

Yes, it's on /etc

>> No.61030609

Anyone else using 4chan x getting an image corrupted message everytime they try to post an image?

>> No.61030621



>> No.61030630

> a.ekansovi.com
> ekansovi.com
> xhr.ekansovi.com
Anything else I need to block?

>> No.61030642
File: 177 KB, 962x770, Don't be a pussy, let evans in.png [View same] [iqdb] [saucenao] [google] [report]


>> No.61030646 [DELETED] 

So much n00bz ITT

All you need is this extension https://chrome.google.com/webstore/detail/thats-pretty-good-idubbbz/pnidecdngnainebcfbmebgpkmnmljdng

>> No.61030663
File: 65 KB, 360x277, 1300996647186.jpg [View same] [iqdb] [saucenao] [google] [report]


I can post images, im just getting an error message for no reason

>> No.61030667
File: 444 KB, 542x732, 20151121_204942.png [View same] [iqdb] [saucenao] [google] [report]

lets see

>> No.61030688
File: 720 KB, 1169x736, streaming is for fags.png [View same] [iqdb] [saucenao] [google] [report]

I am not getting the error.

>> No.61030735
File: 68 KB, 749x540, 1300469244416.jpg [View same] [iqdb] [saucenao] [google] [report]

Good for you friendo

>> No.61030769

That string is literally just the title of the thread.

Wtf happened to this board?

>> No.61030790

Not enough
and not enough, see >>61028713

Yes, it's a consequence of the updated CSP filter on uBlock Origin. If you have updated your filters recently and you're on firefox, the CSP injection uBlock does unfortunately triggers that error. You can disregard that alert, your image would be uploaded successfully.

>> No.61030800

It's registered to Digital Ocean when I ran whois

>> No.61030807

WebRTC, see >>61028713

see >>61030790

>> No.61030836

>and not enough, see >>61028713

That's extra shit, its not even needed.

>> No.61030845
File: 211 KB, 1200x1920, Screenshot_2017-06-22-15-25-05.png [View same] [iqdb] [saucenao] [google] [report]

>checks 3rd party connections
>have ekansovi unblocked

How mych did I fuck up /g/

>> No.61030862


>You can disregard that alert, your image would be uploaded successfully.

How do i disregard the alert?

>> No.61030867

How do I block this without disabling WebRTC ?

Need it for discord

>> No.61030883
File: 14 KB, 615x34, Capture.jpg [View same] [iqdb] [saucenao] [google] [report]

ublock seems to be blocking it just fine

>> No.61030893

it's needed since uBlock and uMatrix can't perform content filtering un WebRTC AND via WebRTC a new unfilterable websocket is opened. Manually filtering wss won't really filter anything, and it won't show up in the logger. Please check the linked posts.

Disregarding it.

>> No.61030896

Haha fight me ekansovi

>> No.61030900


>Disregarding it.

Yeah, how

>> No.61030904

you kind is beyond salvation

>> No.61030918

Click "post" and your unacceptable image will be accepted.

>> No.61030927

Fuck off, I just said the shit on my rules is not needed since the Ublock Filters covers it.

>> No.61030931


Right my bad, i know that

I thought you were imlpying that you could disregard it in ublock and stop the error

>> No.61030965

that's not enough, update your uBlock filters. You should see only CSP-related errors.
On chromium
>Refused to connect to 'wss://a.ekansovi.com/wsp' because it violates the following Content Security Policy directive: "connect-src https: http:".
On firefox
>Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”).

and so on.

>I can't post in an intelligible form
you're pardoned

>> No.61030997

a tablet you virgin neckbeard

>> No.61031004

btw, on Chromium the error doesn't show up in Console if you install (as you should) uBO-extra, to allow early "defusion" of the eval js.

>> No.61031017

This shit is nothing new. This ekansovi has been here for months.

>> No.61031038

one month; gorhill looked at it yesterday releasing a new uBO-extra and updating the defualt rules for uBO, explicitly referencing a thread made here.

>> No.61031056

if possible, that's even worse.

>> No.61031079

The fact that shit had been running on my computer for a month without ublock or umatrix catching makes me feel even more paranoid than I was before.

>> No.61031119

what is the worst thing that could have happened?

>> No.61031123

if you either
- had js completely disabled
- had WebRTC completely disabled AND blacklisted explicitly this strange domain
you're golden.

>> No.61031158
File: 375 KB, 300x237, 1473171383343.gif [View same] [iqdb] [saucenao] [google] [report]

>if you have nothing to hide you have nothing to worry amirite guys let's send all our backlogs to some rogue ad company what could ever happen :^)

>> No.61031312

filtering via hosts is a temporary patch, not a solution
the xhr subdomain doesn't resolve anymore
the a subdomain now resolve to, and the same goes for main domain

no more than few hours ago they were live, now they have shut it down (temporarily?)

probably they are shifting domains already.

Disable WebRTC completely and keep your filters updated, that's the only solution. This or stop visiting 4chan I guess

>> No.61031325

Can you tell if it is completely blocked by whether anything shows up in local storage? I know at least some of the connections store something there, but I don't know if they all do.

>> No.61031337

Why dont we just kill Hiro and give the site back to moot

He wont jew us

>> No.61031358

>moot won't jew us

>> No.61031549

installing umatrix breaks 4chan x, what do?

>> No.61031595

No it doesn't, you are using it wrong.

>> No.61031613

how do I use it right then?

>> No.61031649
File: 49 KB, 1306x546, 2017-06-22 16_15_10-WebRTC Internals.png [View same] [iqdb] [saucenao] [google] [report]

i just installed uBO extra and it seems to have nipped it in the bud. pic related is before. after that screen is completely blank. https://github.com/gorhill/uBO-Extra

it also no longer shows in console that connection was refused (it simply doesnt show up in console at all now).

is there a downside to completely disabling webRTC (or wss) in chrome? if not, how would i do this?

im trying to find a set it and forget it solution, as host files and blocking by hostname are obviously not enough since they can be changed on a whim.

>> No.61031678

No, looking at your local storage won't tell you if you streamed all your data via WebRTC-activated websockets to (((them)))

uMatrix is unrelated and ultimately not enough; both uMatrix and uBlock can't filter WebRTC. They can filter websockets but this is something different.

I investigated the xhr.ekansovi.com sni tls cert few hours ago and both the cert and the domain were there. Now the subdomain doesn't resolve and the other subdomain resolve to
Nice, (((they))) have taken this botnet down now that (((they))) have been caught using these dirty tricks (and I'd say, this WebRTC exploit)
Probably they didn't like people started to investigate a STUN request did open a websocket to some remote server. Maybe they'll use the trick elsewhere or here with a different domain

>> No.61031682

Penis eggs, mystery solved

>> No.61031694
File: 6 KB, 711x82, 4cha_mod_irc.png [View same] [iqdb] [saucenao] [google] [report]


>> No.61031700

Hiro must be stopped

>> No.61031735

>is there a downside to completely disabling webRTC (or wss) in chrome? if not, how would i do this?
You can't disable WebRTC completely in Chrome; wss is a different thing and it could be handled by uMatrix/uBlock, unless it's started using this "exploit".

You should switch browser. If you really can't like firefox, consider ungoogled-chromium (it has WebRTC disabled).

That's inconsiderate. We're not talking about ads, we're talking about a rogue ad company using (pretty literal) exploits.

>> No.61031736

but its not an ad. tell the mods this. its a security risk.

>> No.61031753

does Iridium disable WebRTC?

>> No.61031754


>expecting some 12 yerar old mod to understand the issue

>> No.61031768

so use the feedback page desu
It works.

>> No.61031852

it has some WebRTC-related enhancements
but ungoogled-chromium seems to gather the patch for this from the inox patchset

>> No.61031857
File: 16 KB, 205x274, 1496373819857.gif [View same] [iqdb] [saucenao] [google] [report]


>> No.61031864
File: 112 KB, 400x300, 1298923695276.jpg [View same] [iqdb] [saucenao] [google] [report]

>> No.61031943

My ubo shows green for this domain does that mean I dont have the right filters?

>> No.61031944

Are developer or nightly worth getting over regular firefox?

>> No.61031988

>Probably they didn't like people started to investigate [how] a STUN request did open a websocket to some remote server. Maybe they'll use the trick elsewhere or here with a different domain
what's worse if that this "incident" will now be forgotten (I wouldn't be surprised to see ekansovi completely disappear from the pages now that they've taken it off); but pretty much everyone with WebRTC enabled (the standard in any modern browser) could have sent (and could send in the future) who knows what to who knowns who on pretty much any web page running javascript.

You're ok; assuming you're on firefox, if you check the Console you'll probably see that the connection has been blocked via Content Security Policy thanks to the new uBlock filters.
Note that however now a.ekansovi.com resolves to

>> No.61032007

Domain is nowhere listed in my enviroment.

Not in pi-hole log
Not in local DNS logs
Not in uBlock
Not in Firefox
Not in NoScript

Made a blacklist entry in pi-hole just in case

>> No.61032010
File: 91 KB, 1905x913, ekansovi.png [View same] [iqdb] [saucenao] [google] [report]

Please elaborate

>> No.61032026

>Web Category: Content Server
>Last Seen: 2017-06-22

>> No.61032037

>Note that however now a.ekansovi.com resolves to
and you don't have to believe me, if you don't have a terminal at hand check yourself here


filtering the domain name is moot, see >>61031312 and replies

>> No.61032046
File: 142 KB, 259x348, moot smile.png [View same] [iqdb] [saucenao] [google] [report]


>filtering the domain name is moot

>> No.61032058
File: 53 KB, 994x911, 1490067139266.png [View same] [iqdb] [saucenao] [google] [report]

>> No.61032063
File: 2.34 MB, 1600x1200, poop.webm [View same] [iqdb] [saucenao] [google] [report]

>Disable WebRTC
Palemoon doesn't have this problem.

Also, disabling websockets entirely is what people should be doing.

>> No.61032088

>Thinking you can stop (((them))) from getting your data


>> No.61032152
File: 184 KB, 484x1970, dig.png [View same] [iqdb] [saucenao] [google] [report]

Thats interesting.

>> No.61032172

few hours ago it pointed to CF servers.

>> No.61032175

Fine. I disabled webrtc in Firefox.

I won't disable websocket though because html5

>> No.61032195

Is almost like they literally
>the goyim know. shut it down.

>> No.61032198
File: 21 KB, 200x283, 1472688470282.jpg [View same] [iqdb] [saucenao] [google] [report]

>using firefox

>> No.61032234
File: 47 KB, 600x623, Lolwutmate.jpg [View same] [iqdb] [saucenao] [google] [report]

>using SJW BOTNET...

>> No.61032253

>I won't disable websocket though because html5
>nug gaymes

>> No.61032277

>rogue ad company

oh no i might see an ad for penis cream

who cares

>> No.61032281

I want to creampie nana chan. Also, what do IRC mods even do nowadays? You can't even ask them to review bans now.

>> No.61032306

We don't know if it's really that though. Kind of strange how it likes to pop up whenever /pol/ is involved.

>> No.61032320

>there's an exploit right here affecting any browser which could siphon your data on any website running js
>let's make a joke on penis creams

>> No.61032321

>I want to creampie nana chan. Also, what do IRC mods even do nowadays? You can't even ask them to review bans now.

why ask anyone to review a ban?

I go through 5 IPs a day

>> No.61032332
File: 33 KB, 193x350, 1476069237035.jpg [View same] [iqdb] [saucenao] [google] [report]

>rogue ad company

They seem a little on the ball for a rogue ad company

>> No.61032334

Because some people aren't willing to drop money on a VPN or they don't have a dynamic IP

>> No.61032354

>Because some people aren't willing to drop money on a VPN or they don't have a dynamic IP

What service are you using, you can force an IP change if you have access to your modem

nothing like delivering some pizza to /mu/ or /lit/

they get so butthurt you would not believe it

>> No.61032382
File: 117 KB, 326x345, 1478259085183.png [View same] [iqdb] [saucenao] [google] [report]

Fuck off, considering who runs the website it's basically guaranteed this is something more.

>> No.61032391

Ever since this ekansovi thing started appearing I had it blocked on uMatrix, plus I've always had webrtc disabled through about:config
Do I need to worry?

>> No.61032393
File: 43 KB, 1223x554, ss.png [View same] [iqdb] [saucenao] [google] [report]

robtex is now exposing this

and I bet that >>61030800
>Digital Ocean
this anon mentioned was made in reference with IPs there exposed, belonging to DO
so this suggests that this botnet was running on a DO droplet that hasn't always been filtered through CF
at least the "a" subdomain "slipped" at least once

>> No.61032415

>blocked on uMatrix
>plus I've always had webrtc disabled through about:config
you seem safe

>> No.61032436

What's the Chromium equivalent?

>> No.61032444

You can't disable WebRTC in Chromium, see >>61031735

>> No.61032502

Nah I don't have problems with that kind of stuff I was just telling you generally why people care about bans.

>> No.61032504

a.d.mojigaga.com now points to , DO again
this time it's not "hidden" through CF and it uses AWS nameservers

>> No.61032507

the AS and the ip block are DO.

>> No.61032539

Good. I remember noticing it at least a few months ago. But the only ones talking about that were people on /qa/ so I thought there was nothing to worry about. Nevertheless, I checked on both uBlock and uMatrix logs and they blocked it. I also added a new rule ||ekansovi.com$important just to be sure. But I completely missed the websocket thing, so that's what I was worrying about. Good thing I've disabled webrtc since day 1, if that was the actual exploit.

>> No.61032658

can you block ads on vaughnlive?

>> No.61032688

Not the video ones since its flash. Just use a program that allows you to stream it to mpv.

>> No.61032775

Using ublock origin. I had it yesterday when it was discovered. Seems to have gone now?

>> No.61032808


>> No.61032869

$ pihole -q ekansovi.com
::: /etc/pihole/list.preEventHorizon (0 results)

::: /etc/pihole/blacklist.txt (2 results)

>> No.61033498

>They seem a little on the ball for a rogue ad company
It's possible they monitor popular adblock lists, considering it was added to ublock origin yesterday.

>> No.61033615

for future reference


>> No.61033740
File: 121 KB, 600x600, 1440523273822.png [View same] [iqdb] [saucenao] [google] [report]

>Block ekansovi
>Captcha stops working in other threads

>> No.61033775
File: 4 KB, 300x57, pemex 2300.jpg [View same] [iqdb] [saucenao] [google] [report]

Are you using the street sign captcha?

>> No.61033804


Nah the select the squares one

>> No.61033808

>We believe in Fair Play. It balances between users’ right to expect a good and safe browsing experience and publishers’ right to control their online business, including the ad experience they provide.

Don't y'all want that fuzzy ad experience, mmmh?

>fair play
>exploiting WebRTC


v1 and v2 captcha should work even with the latest uBlock additions and whatnot

>> No.61033950

adswithsalt dot com was called into play when evansovi wasn't blocked

so maybe rather than directing all the blame on uponit something like tisoomi.com/tisoomi-services.com should be investigated

>Thanks to years of experience in online marketing and advertising our team has created the best solution possible for this problem.
>We are able reach user with advertisement even though an AdBlocker is active.

>> No.61033960
File: 141 KB, 303x425, Screenshot from 2016-12-03 15-17-28.png [View same] [iqdb] [saucenao] [google] [report]

Ah I miss those, but the noscript v2 one doesn't seem to work anymore.
I never asked if they work.

>> No.61033990


>> No.61034031

>I never asked if they work.
You stated they don't work in other threads because of (causation) or after (correlation) a not better defined block you put in place, so yes, you never asked. You just assumed. Wrongly.

>> No.61034089

how do I entirely disable webrtc entirely?
I have this stupid leak prevent addon but I just want to get rid of it all together
fuck it

>> No.61034103

I've always had "stop webRTC from leaking local address" and updated filters every day on ublock origin. I'm good, right?

>> No.61034138

No I didn't. I asked "Are you using the street sign captcha?" to rule those out. You replied to the wrong person.

>> No.61034146

>Kind of strange how it likes to pop up whenever /pol/ is involved.
It appears on every board I visit, even if there's no /pol/ shit around.

>> No.61034168

it appears on 4chan.org. regardless if you're on a board or not..
he has autism
it's in the main website's javascript to load the fucking site.

>> No.61034172

you can disable it entirely only on firefox; if you don't want to mess with about:config settings you can follow >>61024955

No, that's completely unrelated. uBlock can't perform content filtering on WebRTC. It simply prevente a leak.

>> No.61034177

Yes it is in a more sane location than Windows

>> No.61034189

my firefox is locked to all fuck
was wondering about iridium
looks like the ublock extras blocked all webrtc though

>> No.61034192

This. it prevents leaking of your IP, but it doesnt block webRTC

Currently using wireshark to determine if my hosts file is really blocking it

>> No.61034202


>> No.61034225

>looks like the ublock extras blocked all webrtc though
it only holds a hard-coded list of rogues sites (4chan has been proudly added to that list).
It won't block all WebRTC on every site.

Iridium has already been addressed in the thread, give a look with ctrl+f

>> No.61034230
File: 151 KB, 1912x1582, 1478056375694.png [View same] [iqdb] [saucenao] [google] [report]


>> No.61034241

yea I read it, literally nothing

>> No.61034246

what's wrong with %windir%\system32\drivers\etc

>> No.61034257

what's wrong with installing directX for every single gayme on a computer

>> No.61034280

test #2

>> No.61034293

test #3

>> No.61034296

>caring about muh gaymen
>installing dx in 2017

>> No.61034297

>Currently using wireshark to determine if my hosts file is really blocking it

Block what? The botnet has been shut down to prevent further investigation. The domain points to

>> No.61034307

>not reading what I said
>thinking I'm on windows because you can't do above

sad go back to /v/ or /pol/

>> No.61034319

>using 127.x.x.x instead of
you're an idiot

>> No.61034320

whatever you say /v/ermin

>> No.61034324

missed that. however, chrome://webrtc-internals still shows the attempt to connect - I wanted to confirm it was a full connection. Wireshark doesnt even show the attempt to localhost or - what I have it pointing to in hosts

>> No.61034328

>I asked "Are you using the street sign captcha?" to rule those out.
So, I've then replied to you both, since v1 vs v2 isn't an element to factor in with the latest uBlock additions (I did check in both firefox and chromium before posting that reply using both v1 and v2 captchas).

>> No.61034331

you didnt even read his post dumbass

>> No.61034332

What does this do? It's not quite clear to me from the text in the file.

>> No.61034341

clearly I did.. how else would I know what ip it goes to?

>> No.61034346

it turns out you're the idiot here.

>> No.61034374

please stop embarrassing yourself. >>61031988 >>61032152 >>61032037

>> No.61034402

forget it, >>61032046 >>61031312

>> No.61034408
File: 2.87 MB, 960x720, vout23.webm [View same] [iqdb] [saucenao] [google] [report]

15KB obfuscated javascript that gets attached to every thread on 4chan, with decrypted strings: https://pastebin.com/C0Mj6vHL

>> No.61034444

I never wanted your answer, I wanted his answer so I can rule out that captcha.
You gave him a ">blocking"
I already know because I can post. There was no need to reply to me.

>> No.61034506

you got the autism comrade

>> No.61034509

Clover doesn't have this problem :^)

>> No.61034514

>I wanted his answer so I can rule out that captcha.
and I replied to you to assure (you and him) that the captcha version wasn't responsible for it.
I replied to him with that memearrow because he posted a tinfoil reaction image and from the look of it he performed some kind of unholy manual blocking. I've then added to your reply to anon the simple fact that v1 and v2 works perfectly and the attention shouldn't be directed to the captcha version at all, since it works with all the suggested blocking strategies expressed insofar (uBlock, disable WebRTC, hosts file)

>> No.61034521

Clover has lots of other problems.

>> No.61034553

are you sure it doesn't fetch the page and it just recreates images and posts using json?
>apps to browse a site
I'm too old for that shit

>> No.61034554

If you were replying to both of us you would have put both ids together and not separate.

>> No.61034607

Such as?

Clover uses the official API.

>> No.61034634

I've replied to you to correct your question (since the suggestion to investigate the captcha version started from you) and the other anon's got a (You) already in that post. Hopefully the way I manage my replies didn't trigger you too much. Take care.

>> No.61034665

>I wanted his answer so I can rule out that captcha.

It breaks the 3x3 square one, v2 as you said hasn't worked for a while, probably a combination of my addons eskansovi or not and I stopped using the street sign beginning of this year because it kept asking me to type like 7 times
I'm back to using the text typing one right now

>some kind of unholy manual blocking

>Blocked everything in UMatrix
>Added the domains to UMatrix's host file
>Disabled WebRTC
>Installed Chromium for discord
>Marked a norse rune of protection with my blood

It's all perfectly normal

>> No.61034696
File: 495 KB, 500x256, 1468615865122.gif [View same] [iqdb] [saucenao] [google] [report]

>Marked a norse rune of protection with my blood
have you tried turning it off and on again?

>> No.61034745

I asking him if he was using said captcha, not if the captcha was working. I already told a few posts that I already knew they work (except the noscript one). Stop assuming I was asking that.
>the way I manage my replies didn't trigger you too much.

>I stopped using the street sign beginning of this year because it kept asking me to type like 7 times
Same here but months ago, I don't think it was eskansovi since I completely had Javascript off. If it still worked I wouln't have to deal with this eskansovi shit since it only seems to load when javascript is enabled. But it did stop working when they added eskansovi which was around that time so they could be linked.

>> No.61034793

using ublock origin on Microsoft edge. the domain has the red bar by it which means it's blocked on some level. I had put ||ekansovi.com$domain=4chan.org in my filters and that's all. can I disable webrtc in edge?

>> No.61034832

the only true way is to block it in hosts

>> No.61034858

>Stop assuming I was asking that.
You were assuming that, see >>61034444
>I wanted his answer so I can rule out that captcha.

>I already told a few posts that I already knew they work (except the noscript one)
Quite the contrary, you were suggesting that v1 or v2 was any relevant for his issues and you never stated the opposite and you wanted his answer to rule it out. I've already address this concerns of yours.

>it only seems to load when javascript is enabled
no wonders, it's literally a js eval.

>redirection to different board
Take care.

read the thread.

read the thread, >>61031312

>> No.61034921

No you didn't because your answer had nothing to do what I wanted to know. If anyone is assuming, its you. I wanted to know if he was using that captcha not that it works

>no wonders, it's literally a js eval.
It worked with 4chan's and google's javascript disabled.

>redirection to different board
Yes, out.

>> No.61035015

>It worked with 4chan's and google's javascript disabled.
That's because its directly embedded in the page (not an eval btw) and 4chan's own js uses a <link> tag to load

>> No.61035049

>It worked with 4chan's and google's javascript disabled.
It's an inline eval script. If you blocked 4chan but allowed inline scripts in uBlock, it would have run. If you disable entirely 4chan's js, using uBlock or NoScript or whatever, it wouldn't have worked. You can check right now. Fire up a console and try blocking 4chan but leaving inline scripts vs blocking 4chan entirely. I seriously doubt you have used 4chan with all js (inline scripts included) disabled.

You're welcome.

>If anyone is assuming, its you.
I've quite literally quoted your words, you "wanted his answer to rule out that captcha" right after he expressed those concerns. That's not assuming on my side, there's no need to thank me for having ruled out immediately that element.

Take care.

It's an obfuscated eval too. It was deployed several times.

>> No.61035184

fuck you i didn't read this thread when i said that

>> No.61035583
File: 6 KB, 500x500, IMPORTANT.png [View same] [iqdb] [saucenao] [google] [report]

If you have uBlock Origin add this to prevent the obfuscated Javascript from running:


>> No.61035721


I just paste that line into my rules right?

>> No.61035737

'My filters', just add it to the bottom

>> No.61035880

Bois, it is late here, this thread is spooking me

Someone give me a quick rundown, I have never seen this ekansovi.com domain in my uBlock origin domains list

I use firefox

>> No.61035930

It haccs u @ night

>> No.61036745
File: 353 KB, 971x1500, 1478309736899.jpg [View same] [iqdb] [saucenao] [google] [report]

I was using my pass and got a perma ban for CP or some shit. The new system doesn't let you appeal for some time so I had to go on IRC and they just told me to wait. The next morning, I woke up and the perma ban screen was gone so I guess they just recognized their mistake.

Still, 4chan mods and jannies circa 2007 were chill and approachable.

>> No.61037959

Being shite.

>> No.61039204

fucking hell, I'm becoming paranoic, this shit is driving me insane

>> No.61039543

useless, please read the thread.

>> No.61039551

Alright, enlighten me

>> No.61039611

just update the default uBlock Origin filters, a new rule has been added by gorhill explicitly referencing a thread made here. It injects fake CSP rules on 4chan's pages, ruling out any https, wss AND WebRTC exploit (WebRTC ***can't*** be filtered as usual with uBlock and/or uMatrix, any custom made rule didn't cover the WebRTC trick). Chrome users have also uBO-extra with "early defuse" scriptlets.
Moreover, the botnet has been taken down, the domain in OP redirects to localhost now.
In the long term disable WebRTC entirely if you're on a browser that allows you to and please read the thread.

>> No.61039645

Just having the uBlock Origin filter doesn't prevent 15KB of obfuscated Javascript from running you dumb cunt, it just stops the connections. The rule you replied to stops the Javascript from running

>> No.61039677

for reference
>Added 4chan.org to upManager defuser: WebRTC is being used to escape blockers.

>commit "further fix https://rbt.asia/g/thread/61009719" (can't link direcly here)

useless, please read the thread.

>> No.61039687

It's not useless, it's stopping a whole bunch of Javascript you dont need from running.

>> No.61039704

Time to start using a VPN..

>> No.61039715

it's entirely useless, obfuscated code can be replaced in a whim and they have already taken off the botnet pointing to the domain in OP now that they have been caught; something you could have learned reading the thread.

>> No.61039730

a VPN won't solve the issue detailed in this thread.

>> No.61039736

I honestly didn't think I gave you enough room to misunderstand my intent but here you are to prove me wrong, I'm not angry I'm just disappointed.

>> No.61039751

So I basically have to use Firefox now?

>> No.61039766

VPN, and uBlock?

>> No.61039823

whilst you proceed in being disappointed feel free to read the thread and please pretty please with sugar on top refrain from suggesting yet another totally useless and totally circumventable custom made rule.

if you want to disable WebRTC entirely, you need firefox or ungoogled-chromium. Otherwise you need to rely on hard-coded lists in uBO-extra and in CSP rules injected via uBO lists. It took at least a month from the first ramblings about the domain in OP to the block enacted in the last 48 hours; during all this time any user who didn't disable WebRTC entirely was potentially affected by this domain. So, consider that hard-coded lists won't protect your from day 0.

VPN is pretty much unrelated; also it's formally against the rules to use a VPN to post here.

>> No.61039829

No it's not, you need to purchase a 4chan pass.

>> No.61039831
File: 110 KB, 489x557, Screenshot_20170620_141316.png [View same] [iqdb] [saucenao] [google] [report]

Will this work?

>> No.61039839

what about Vivaldi?

>> No.61039852

>paying a botnet-enabler in order to use a VPN that won't protect you from said botnet

I don't know about closed-source chromium forks (they are entirely pointless to me, and pretty pretentious too) but I'd bet my left nut that you won't be able to disable WebRTC on it.

>> No.61039854

I think they removed that exception. At least I don't see it on the pass page anymore.

>> No.61039858

Anon pls, I don't enjoy baby barfing

>> No.61039863

I don't have to read it, I know what's going on because I'm the one who made and read through the 360 post long thread yesterday, as well as the person who decrypted the strings, but I guess I'm wrong because some chucklefuck completely missed the point of what I was doing.
Every dumb motherfuckin' reply you make I'm donating $5 to a feminism group of your choice.

>> No.61039876

Personally I'd choose the todogroup so they can continue to open pull requests to your favorite projects with their code of conduct http://todogroup.org/opencodeofconduct/

or just github itself, I'm not sure there's much of a difference anymore.

>> No.61039895
File: 34 KB, 526x526, 1487830579610.jpg [View same] [iqdb] [saucenao] [google] [report]

>the person who decrypted
>I'm the one
come on, it can be prettified in 4 secs by an average 15 yo able to use a search engine (you don't even need to install gentoo).
It's sad to see that your clear autism is preventing you from considering the issues at hand clearly. Seek help and feel free to use a trip I can filter.


>> No.61039908

You're either impossibly stupid or a really good troll, and I'm not all that interested in replying to either anymore.

>> No.61039924

Take care, please avoid suggesting totally useless rules in the future.

>> No.61039948
File: 638 KB, 320x240, You too.webm [View same] [iqdb] [saucenao] [google] [report]


>> No.61040199

Please tldr me even though i scrolled through the whole thread i dont get the conclusion.

What do i need to do? I had this shit blocked in noscript and in ublock origin (my filters and my rules behind the scene) for a while.

Do i also need to disable whole WebRTC thing? Are there any downsides to it?

>> No.61040273

How do i disable WebRTC in firefox?

>> No.61040281

First you have to click on the address bar and put in palemoon.org, download that and then uninstall Firefox.

>> No.61040304


>> No.61040319

It's either a furry who knows what he's doing, or a bunch of feminists who don't, your choice.

>> No.61040350

Thanks anon, shit listed in pi-hole.

>> No.61040354

Or you could use SeaMonkey

>> No.61040488

>tfw I switched to Pale Moon before Hiro came (non sexually)

>> No.61040544

Guys am i safe now that i updated my ublock origin? webrtc is disabled. javascript is disabled in noscript.

Now i get xhr http://detectportal.firefox.com/success.txt after updating filters. Dafuq is this?

>> No.61040559

I get xhr everything 4chan now after updating uBlock Origin filters. Is this normal?

>> No.61040606
File: 95 KB, 192x279, dont panic.png [View same] [iqdb] [saucenao] [google] [report]

this is some spooky stuff

>> No.61040666
File: 12 KB, 342x285, Screenshot_20170623_070922.png [View same] [iqdb] [saucenao] [google] [report]

Are these the right settings?

Vivaldifag here

>> No.61040730

>make artwork DA wannabe oddparents tier and just generally worse
>make outlines 3x bigger in illustrator
>no more seductive semi-femdom lola

yeah I don't like it

>> No.61040737

What is local storage and how do i clean it? Im using Firefox.

>> No.61040884

no, uncheck WebRTC

though to be safe I would also put in an explicit filter using whatever tool that browser has. and if you can look at a log or console to make sure it's being actively blocked. clear cache and reload the page before looking at the console.

>> No.61040905

it's an option in the ublock origin settings tab. should work on any FF ublock does. I would also enable all the ublock-specific 3rd party filters in that tab. and/or add a blanket filter in the my filters tab.

>> No.61040963

why is there not a thread about this on every board? it seems like a very big deal

>> No.61041019

I imagine they'd just get deleted for being "off topic". Is there one on /pol/?

>> No.61041032

alternatively, you can set it on FF yourself without using ublock by going into about:config and setting “media.peerconnection.enabled.” to false.

>> No.61041134

that WebRTC option is totally unrelated, you can't disable WebRTC completely on that shitty closed source piece of cancer you chose.

jesus, just update uBlock Origin filters, see >>61039611

NoScript blocking is ineffective.

If you are using Chromium consider uBO-extra.

Yes, disabling WebRTC would prevent similar exploits in the future.

The botnet has been shut down, any measure to address THIS domain and THIS inline script is useless. uBlock's approach will prevent similar shit happening on 4chan using different "sneaky" domains and/or different scripts. To fully prevent this kind of exploit from day 0, disable WebRTC and double check your dashboards in the future.

they already shut this botnet down, see >>61032152
so, sadly >>61031988
>this "incident" will now be forgotten (I wouldn't be surprised to see ekansovi completely disappear from the pages now that they've taken it off)
it may re-spawn in different ways in the future

>> No.61041300

>double check your dashboards in the future.
For what?
>Yes, disabling WebRTC would prevent similar exploits in the future.
I had WebRTC disabled all this time but this ekansovi shit still were doing something via websocket. Now after updating uBlock filters i no longer see any entries in the behind the scenes log. Is it because the botnet is shut down or because of updated filters? Thank you very much smart anon!

>> No.61041485

>everyone says to completely disable WebRTC in Firefox
>no one says how

>> No.61041492

See >>61040281

>> No.61041500

Very funny.

>> No.61041508

you think I'm joking but I ain't laughing nigga

>> No.61041562

I have WebRTC disabled with media.peerconnection.enable (false) but i dont see a picture like in >>61024715 Do i need to change something else in about:config?

>> No.61041595

I actually had some faggot exploit my firefox through webrtc over a year ago. It was driving me crazy trying to work out how he got in. He kept dropping hints about my browser activities.

>> No.61041606

I'm sorry but that's fucking hilarious if I imagine you're just schizophrenic

>> No.61041653

Not related to this the fact that it showed up is probably a coincidence.

Some shittier wifi hotspots use a kind of reverse proxy to filter out people who don't pay them money. That request is to test if firefox is working under one of those so it can automatically configure itself to work properly with it. It's probably safe to block that unless it's a laptop that you travel with and regularly connect to unsafe wifi hotspots.

>> No.61041655

I have WebRTC disabled with media.peerconnection.enabled false. I have ekansovi blocked in noscript. I updated uBlock Origin. This is it? Am i safe now?

>> No.61041689
File: 48 KB, 1081x574, absolutewank.png [View same] [iqdb] [saucenao] [google] [report]

>> No.61041711

>For what?
for future suspicious domain names that may or may not pop up while your browse this cesspit

>i no longer see any entries in the behind the scenes log. Is it because the botnet is shut down or because of updated filters?
because of the updated filters. If you check the firefox Console (not the uBlock logger) you'll see messages about evansovi being blocked thanks to a Content Security Policy injected by uBlock itself. This way you'll pre-emptively block all that shit that used to reach the logger, PLUS the shit that didn't appear in the logger.

>I don't see a picture like
but you'll probably see in Console the message listed in >>61025794
also consider that >>61025893
>uBlock Origin takes precedence
>the "Content Security Policy" error will be logged if you have updated uBlock Origin's filters recently no matter if you have disabled WebRTC completely.

>media.peerconnection.enabled false
>updated uBlock Origin
that's all you need.

>> No.61041738
File: 3 KB, 250x93, 1.png [View same] [iqdb] [saucenao] [google] [report]

I do good boss?

>> No.61041751

not enough since uMatrix/uBlock can't filter WebRTC via their dashboards, but you're lucky: ekansovi.com doesn't resolve any more.

>> No.61041759


You were already exploited if you had not disabled WebRTC.

>> No.61041769

So, this was pretty clearly an attempt to deanonymize posters. How is this not huge?

>> No.61041825

Considering how well this went I think it's pretty likely this method will come back in the future. Definitely don't allow webRTC to run ever.

>> No.61041838

>but you'll probably see in Console the message listed in
Yup! I have this one.
>>uBlock Origin takes precedence
>the "Content Security Policy" error will be logged if you have updated uBlock Origin's filters recently no matter if you have disabled WebRTC completely.
Ooh, i see! Thank you very much anon. Have a good day!

>> No.61041904

>uMatrix/uBlock can't filter WebRTC via their dashboards

What's the XHR request in uMatrix then? Is it just unrelated to this?

>> No.61042045

>deanonymize posters
you are assuming that posters were anonymous in the first place. you are a dumb newfag

>> No.61042108
File: 2.85 MB, 1920x864, You hear the studio audience applaud!.webm [View same] [iqdb] [saucenao] [google] [report]

You're too confident of an idiot for your life to work out well

>> No.61042134

says the guy that thought 4chan was anonymous


>> No.61042204

your dumb ass completely misunderstood me; I didn't say 4chan was anonymous, I said it was an attempt to deanonymize users and if you had thought about it for even a second you would have considered that maybe I meant people who were using VPNs or a decentralized anonymity network and not any random dickwad with a phone.
and for your information I've probably been on 4chan for longer than you've been transitioning into a woman :^)

>> No.61042225

if you weren't so fucking new you'd know that vpns and tor are banned on 4chan

there is nothing to 'deanonymize' you fucklord

>> No.61042241

I don't even need to try to embarrass you, you're doing a better job than I ever could.

>> No.61042253

out of "arguments" already?

that's just fucking sad, even for newfag cancer such as yourself

>> No.61042270

>an attempt to deanonymize posters
Jesus Christ, you poltards are fucking retarded.

>> No.61042305

You're riding off some insane assumptions that only an undeserved confidence could justify.

>> No.61042326

you're the retard newfag that thought anonymous posting on 4chan was possible, not me. go back to /pol/ you uneducated dullard. you are only hurting the discussion in this thread by posting your mental diarrhea

>> No.61042348

You're actually starting to bore me now

>> No.61042352

refer to >>61042253

>> No.61042380

I get the Firefox error. Does that mean I am in the safe zone?

>> No.61042393

I thought the space cowboy worked for google now.

>> No.61042443

>he thinks anyone is anonymous on 4chan
If this site was anonymous in any way shape or form it would have been flooded by cp and drug trades a long time ago. Are you seriously this dense?

>> No.61042485

Do I even need to explain to you how it's logistically impossible to ban every proxy, VPN, and decentralized fuckery. I'm aware that 4chan has banned a lot of proxies, VPNs, and pretty much 99% of the Tor network, I've been here probably longer than you have. Private Tor networks exist, other decentralized anonymity networks exist, personal VPNs exist. But fuck me meet me half way, I can explain it to you but I cant comprehend it for you.

>> No.61042492

How do you get banned for CP if you were innocent?

>> No.61042550

You do realize that Google already tracks everything you say and do on 4chan using reCAPTCHA, RIGHT? You are assigned a userprofile.

>> No.61042609

this is just getting sadder and sadder. you know what, anon? i'm starting to feel bad about this. picking on the handicapped kid just isn't very satisfying. instead, i'm going to brighten up your life a little. i'm going to be that one shining ray of light in your bleak existence.

i will let you have the last word.

so come on, let me have it. make it count. i'll gladly take it if it means you'll experience the sweet taste of victory for once in your life, and you can go to bed knowing you achieved something.

>> No.61042626

refer to >>61042253

>> No.61042818

There are still CP floods now and then. It's just not worth the effort for most people.

>> No.61042843

>but you're lucky: ekansovi.com doesn't resolve any more.
I have a bad feeling about this...

>> No.61042895

>but you're lucky: ekansovi.com doesn't resolve any more.
Anyone who didn't filter the websockets was exposed, they may have already gotten what they needed and when people started catching on they took it down to prevent further examination.

>> No.61042953

Since this thread has a lot of very smart people i want to ask here. I pinned uBlock Origin's logger in Firefox and noticed that every time i restart my broswser there is xhr "http my ip address". What is this? This happens even when browser starts with single logger tab. Is this normal behavior?

>> No.61043528

ekansovi tried to phone home in more than one way

update your uBlock filters and check media.peerconnection.enabled in about:config

>> No.61043610

>latest reply to anything is nearly two years ago
I'm pretty sure submitting feedback through that page does not, in fact, work.

>> No.61043634
File: 3 KB, 481x92, peerconnection.png [View same] [iqdb] [saucenao] [google] [report]

since friends don't let friends befriend botnets, suggest https://addons.mozilla.org/firefox/addon/privacy-settings/ to your normie friends and secure (at least) the media-related settings

Reminder that 4chan X user could get this error >>61030609 but it's totally bogus

>> No.61043691

The part where they literally copypasted the location from unix systems.

>> No.61043783

They actually took the entire network stack from BSD and incorporated it into windows in the early days. Winders' current network stack is custom I believe though but the hosts file remains untouched.

>> No.61043799

we need a new thread

>> No.61044178

I have no clue. Maybe the targeted the wrong post or IP. Anyhow, it was resolved on their end within 24 hours.

>> No.61044739

>Been using noscript and Ublock for like 10 years
>Still can't understand why people don't all do this
Whatever, ignorance is bliss, right up to the grave I guess.

>> No.61044766
File: 52 KB, 368x969, sd.png [View same] [iqdb] [saucenao] [google] [report]

>Still can't understand why people don't all do this

not everyone is autistic like you

>> No.61044788

>Only have to allow scripts you trust once and then they are allowed forever
>Even going on JS ridden shitpiles to begin with
And I'm sure your retardation makes someone a lot of money, congratulations.

>> No.61044810


pls tell me which sites in pic related at necessary for the slickdeals.net site to function

>> No.61044825

Literally the first one, which is already enabled you retard.

>> No.61044838

nope... the rest of the site isn't usable then. try again.

>> No.61044860

I'm using it right now you stupid faggot, it works fine.

Half that shit in that pic isn't even in the script list on the fucking page.

>> No.61044966
File: 78 KB, 275x605, Untitled.jpg [View same] [iqdb] [saucenao] [google] [report]

I made this for you since you are a fucking retard, maybe you can use it next time.

>> No.61045655

Seems like all the /g/ pedos and racists are going to jail. RIP

>> No.61045739

It definitely does work, I've seen people talk about their responses.
They don't list all of them on the page.

Name (leave empty)
Comment (leave empty)
Password [?]Password used for file deletion.