What is Ekansovi? >15KB of obfuscated Javascript in ever

>>61017643
It's just a tracking pixel and you're basically retarded.

>>61018019
you realize websockets and tracking pixels are two entirely different things right?
e() is only 11 lines of 550.

File: 1447916124725.png (191KB, 753x187px) Image search: [Google]

191KB, 753x187px

>>61017643
So what I don't understand is that it seems to be ad related trickery to get around common adblockers, but where are the ads?

>>61018019
shill

>>61018179
I think it's trying many different methods to track you; a 1px by 1px image, an embeded js file, and a websocket, and some XHR which looks as though it sends your useragent to.

>>61018250
Websocket section looks like it's sending a fingerprint in sha-256 delimited by colons.

> ekansovi
Haven't seen them in a long time, last I saw something connecting to there it was just tracking

File: unknown.png (51KB, 528x475px) Image search: [Google]

51KB, 528x475px

Make sure you have ekansovi.com and a.ekansovi.com blocked, gorhill apparently pushed an update that blocks them a couple of hours ago but just check to be safe

>>61017643
I've taken a look at it and it's nothing substantial.

>>61018019
>t.Hiro

>>61018424
...are you going to elaborate?

File: 1470111210955.jpg (54KB, 480x451px) Image search: [Google]

54KB, 480x451px

>>61017643
>non-free javascript

>>61018179
Possibly testing attack vectors. Not necessarily an attack.

>>61018409
>gorhill apparently pushed an update that blocks them
wut

Any girls have an opinion on this?

>>61018429
No need to block it. It'll make 4chan better.

>>61018453
uBlock Origin filter update

File: 62c.gif (1MB, 320x213px) Image search: [Google]

1MB, 320x213px

>>61018462

>>61018462
shill

>>61018409
>>61017643
Its not listed under by umatrix.

Haven't seen it here. Maybe you're infected?

>>61017643
who owns the domain?

>>61018466
wew is he one of us?

! https://rbt.asia/g/thread/61009719 ! Appears related to uponit.com ||ekansovi.com^ ! Somehow, websocket requests are behind-the-scene with Firefox. Pending ! further investigation, this fixes the issue. ||4chan.org^$csp=connect-src https: http:

>>61018521
theguardian

>>61018492
Apparently it might only be showing up for people from certain countries.
Right click > View source
Search for

b.u("gIlePonVjyjmEpHGmTsFPsEYyxBVkstc");

That's the class for the XOR string decryption.

>>61018537
Unless the key is randomly generated, in which case you'd have to search for b.u("... unless the names are randomly generated as well in which case just look for 15KB of random as fuck javascript.

>>61018529
What made you come to that conclusion?

>>61018537
Hmm the key is there. The script is there, but its not running from a third party site.

Does that mean 4chan runs its own version?

>>61018522
>Appears related to uponit.com
There you have your question answered OP

>>61018579
Yep

>>61018429
It's a joke.

test

How can i block it with Ublock?

>>61018179
I have ABP on and I still see three little ads at the bottom of every 4chan page.

>>61018620
Open the uBlock settings
Go to the '3rd-party filters' tab
Click on the clock icon next to 'uBlock filters'
Click the 'Update now' button at the top

>>61017643
it's on the front page of 4chan as well, not just every thread
I can confirm it loads regardless of browser or addons. from different locations all around the world

those who say it does not load for them I have no idea why. But any OS, any browser, any addons (or none) on different ips and physically different computers all have it loading.

only thing I can say is those who don't have it loading have the old cached version of the javascript on 4chan still running

>>61018645
(you can open the settings by clicking on the uBlock button and then clicking the gear icon on the far left in the gray bar at the top)

alt. click on 'domains connected' in the uBlock popup
make both columns for 'ekansovi.com' solid red then save by clicking the padlock icon.

>>61017643
you forgot to mention
ekansovi

ekans
ovi

snake
egg

>>61018587
>uponit.com
>Immune to filters or blacklists
Am I really going to have to start blocking ads with hosts file?

They're uponit domains. End of story.

File: 1483134062952.gif (4MB, 490x476px) Image search: [Google]

4MB, 490x476px

>>61018587
>unblockable
If that's related to this, and this uses websockets, then...
>||*^$csp=connect-src https: http:

>>61018721
'Appears to be related to uponit' != 'Its uponit'

>>61018728
||wss:// actually, probably should have tested it first.

>>61018179
it smells more like some elaborate scheme to catch ban evaders.
hiro should just put mobile shitters in read only mode or at least increase the post timer

>>61018748
No, it is literally uponit. Do some more investigation.

>>61018711
>Immune to filters or blacklists

whatever they are doing, it doesn't seem to be working. i don't see ads here or on their site

File: 1432187912406.jpg (56KB, 760x572px) Image search: [Google]

56KB, 760x572px

>>61018889

File: 343791.jpg (74KB, 765x566px) Image search: [Google]

74KB, 765x566px

>>61017643
>Unironically uses XOR for its string encryption

>>61018916
I don't get what Miley Cyrus has to do with this :^)

>>61018890
That's because they're using it for tracking, not for displaying ads.

>>61018537

yep I get this same key

USA here but blocking cross site requests

>>61017643
Can it be blocked with noscipt? Does private browsing mode and deleting cookies and cache work?

>>61018982
Unless you're blocking 4chan.org, no.
Just get uBlock, or if you already have it update the uBlock filters in '3rd-party filters'

File: snakeivos.png (44KB, 1896x480px) Image search: [Google]

44KB, 1896x480px

Am I good now /g/?

Blocked it everywhere I could.

>>61019027
There's two instances of b.u in the code, that's the first one.

>>61019026
Probably... hopefully.

>>61019026
I just blocked it in hosts file.

>>61018409
how to even take a picture of umatrix
it leaves when I grab terminal to scrot it

File: sneekysnek.png (20KB, 1581x188px) Image search: [Google]

20KB, 1581x188px

>>61019026
>>61019042
Hmmm, the logger is still showing it, after I had blocked it, is this just because it attempts to or is it bypassing the block?

>>61019071
How do I do that?

Pic related time is after I had blocked >>61019026 so it might still be coming through

>>61019093

scrot -d [delay in seconds]

>>61019103
Click on the uBlock button, click the grey title bar at the top, go to the '3rd-party filters' tab, click on the clock icon next to 'uBlock filters', click on 'Update now'

>>61017643
I'm not getting this domain. It's probably coming from that notorious malware 4chanx.

>>61019129
that's some low effort bait right there

>>61019103

what is a good logger aka what are you using?

>>61019129
I'm on firefux vanilla 4chan and see it in umatrix

File: 1470409908774.png (7KB, 243x97px) Image search: [Google]

7KB, 243x97px

>>61018587
I FUCKING KNEW IT

File: 1.png (28KB, 309x290px) Image search: [Google]

28KB, 309x290px

>>61019103
https://pastebin.com/FiWG9vN5 for hosts file instructions.
THIS IS FUCKING BIZARRE: 4chan wouldn't let me post the specific text of this pastebin link, giving me a connection error. Pic related. It lets me post normally otherwise.

File: still heree.png (11KB, 1199x170px) Image search: [Google]

11KB, 1199x170px

>>61019126
Well shit I did that and it still showing up in the logger

Also I'm visiting random /pol/ threads to confirm it shows up as thats when it appears only so far.

>>61019174
Its just uBlock Origin's logger

>>61019217
Very suspicious coincidence.

Thanks for the link anon

File: Untitled-2.png (14KB, 826x261px) Image search: [Google]

14KB, 826x261px

>>61019217
Trying to post the text from that pastebin through post a reply at the top instead of the little reply window gets this response from 4chan. My IP is obviously not blocked as I'm posting right now. What the fuck?

File: C7AeO8xWcAIuBHk.jpg (52KB, 751x720px) Image search: [Google]

52KB, 751x720px

>>61019250

>>61019273
kek I just had that idea too, you beat me

test

>>61018250
In advanced cookie manager there is a cookie for that website named __cfduid or some shit.
Anothr anon didnt see it listed in the normal cookei viewer

>>61019301
>>61019301
Thats a cloudflare cookie

Why not
0.0.0.0 a.ekansovi.com
0.0.0.0 ekansovi.com

File: 2017-06-21-222203_305x264_scrot.png (40KB, 305x264px) Image search: [Google]

40KB, 305x264px

literally won't let me post this
posted this though >>61019296

File: 1.png (18KB, 305x284px) Image search: [Google]

18KB, 305x284px

This is the line which returns the connection error. Fucking bizarre.

>>61019318
>>61019330
Looks like simply etc(slash)hosts returns the connection error.

>>61018409
I guess Im out of the loop,
can you explain to me what addons I should be running and why?

I am using noscript + ublock origin.
I was using noscript + adblock plus or something but I was told they are cucks now and switched.

Now Im seeing all kinds of other crazy shit and I dont even know what it does

>>61019229
>Its just uBlock Origin's logger

Thanks

Requestpolicy blocks ekans egg completely

File: fukoff.png (24KB, 1502x336px) Image search: [Google]

24KB, 1502x336px

>>61019246
>>61019229
Well I did the hosts file thing but new instances of ekanshitty still show up in the logger when I click new /pol/ threads in the catalog

Should that be possible even with hosts file solution? Is the logger also showing attempted connections or just those that get through?

>>61019372
what tool are you using here

>>61019372

rquestpolicy extension in firefox seems to stop it

those are probably attempted request that are failing, I would hope

>This role is in our Tel Aviv office
https://uponit.com/careers/

/pol/ is always right.

>>61019353
uBlock was created by gorhill and then got taken over by a cuck
uBlock Origin is gorhill's continuation for automagically blocking ads
uMatrix Origin is for blocking things with way more control over what's getting blocked.

>>61018409
Wouldn't blocking ekansovi also take care of a.ekansovi?

/etc/host

>>61019396
*.ekansovi.com would
ekansovi.com means only ekansovi.com

>>61019409
>*.ekansovi.com
Would that or something equivalent work in hosts file?

>>61018537
New Zealand here, string appears more than once

new b.u("R3X + gIlePonVjyjmEpHGmTsFPsEYyxBVkstc")
new b.u("gIlePonVjyjmEpHGmTsFPsEYyxBVkstc")

>>61019388
its just Ublock origin logger like I've said already ITT

>>61019421
probably not no

>>61019423
It's always two

>>61019372
Those must be attempted requests. The only thing I know of capable of bypassing hosts file is M$'s telemetry.

>>61019409
What about *ekansovi? Would that block everything?

>>61019443
Probably not, no.

>>61019429
shit that's neat

>>61019394
ok so it was ublock I was told not to use,

So do I want ublock + umatrix or just umatrix?

Is noscript still safe? is it redundant with umatrix?
I noticed that when a site doesnt work noscript is the only thing that I need to fuck with, like its doing a better job than ublock

>>61019391
>>61019441
>attempted request that are failing

I sure hope so, I set up the hosts file exactly as it should be and checked and rechecked and yet each new /pol/ thread I open the ekansovi shit pops up again in the logger, hopefully its just logging the attempt and not an actual connection, I wish the logger distinguished between the two

>>61019497
Noscript + uBlock ORIGIN
+ uMatrix ORIGIN if you want more control.

>>61018250
web RTC too

File: pepe-indifferent.jpg (8KB, 250x238px) Image search: [Google]

8KB, 250x238px

>>61019517
>umatrix origin

>>61019517
>uMatrix ORIGIN
this doesn't exist

>>61019517
I thought there was only one umatrix, not a umatrix and a umatrix origin

>>61019538
>>61019545
>>61019546
Whoops, sorry, you're correct it's just uMatrix

I would buy a pass if moot was still in charge and not hiro, who has a track record for fucking up people who trust him

>>61019213
/pol/ is always right.

>>61018630

> ABP
> 2017

>>61019421
nope
you have to add sub domains separately in host files
if you use pi-hole you can use wildcards for dns though

>>61019314
under the ekansovi url.

>>61019316
because he will just "b.ekansovi.com" and "aslfkjeiwrqjedfadslf.com" when you arnt looking

>>61019560
>trusting a white privileged man
>not trusting a poor rice farmer
fucking racist

File: 1489768509515.png (947B, 416x454px) Image search: [Google]

947B, 416x454px

What kind of tweaks did you guys do to uMatrix? I noticed a lot of sites I used would fall apart after installing it.

Is it a good idea to globally allow googleapis, apis.google, ajax.googleapis? Seems like a lot of sites rely on them to work

>>61019601
I just live in a broken internet and surf happier

>>61019590
The patrician thing is to use uMatrix in default block-all mode since it will block everything not explicitly allowed.

Very confusing server (DNS resolves to 138.197.9.35)

Iplocation says the ISP is digitalocean

I attempted to SSH into it -
the connection message is "Bitvise WinSSH Server"
Windows? digitalocean doesnt allow you to make windows servers

any ideas?

>>61019601
I just keep them blocked by default. If a specific site breaks I try whitelisting them for that site and see if it works.

There's an awful lot of sites (news sites, blogs, etc) that look ugly but still display text content just fine with pretty much everything blocked.

>>61017643
seems like they are onto us. it's been removed

>>61019394
>>61019517
ok, I installed matrix and it broke replying so I had to disable it to post this

>>61019641
Some kind of front-end, proxy, or passthrough firewall with a windows server behind it, maybe?

>>61019651
You have to actually understand what uMatrix is and how it works, it's not an automagic catch-all it's a tool. You don't buy a hammer and say "Something's wrong it's not nailing things in" without actually using it.

>>61019642
>>61019620
my niggas

>>61019217
4chan doesnt let me make threads anymore. I dont know why.
It takes years to do anything and then loads a warning page about https

>>61019649
Huh, you're right.
Not finding the u.b( string now

>>61019601
it's like noscipt and you need a few days to adjust it for your main websites, but it's great for everything else and fighting tracking and other anti-privacy measures

>>61019506
>>61019441
>>61019391
Yep, ekansovi doesn't even show up in ublock origin anymore meaning hosts file blocked it completely, but it still shows up in the ublock logger as attempted access I guess

I checked just now and it shows up in the logger when clicking on /v/, /g/ threads too

Just what the hell is this thing.

>>61019666
And you dont buy a hammer and have it automatically nail your door shut

what do I click to make 4chan work. I dont care if everything else is broken right now

>>61019641

lol how new are you? all of the ips are fucking cloudflare

test

>>61019217
test

127.0.0.1 a.ekansovi.com
127.0.0.1 ekansovi.com

Are there any good tools for debugging/inspecting websocket sessions? Would actually be useful for a project of mine as well, but I didn't find anything

>>61019695
>>61019666
Nevermind, I figured it out.
This shit really fucks up a good buzz.

>>61019217
hey this guy did your linux fix >>61019318

>>61019649
It's still there for me (New Zealand)

>>61019684
b.u, not u.b

>>61019695
rows are domains
columns are media types
cells can be either red or green, if it's red that media type is blocked for that domain, if its green its not blocked.
Click on the top or bottom half of a cell to block/unblock that cell.
If you get stuck use google, if you cant even do that dont use uMatrix.

>>61019698
how can you tell?

>>61019705
test two

Copy hosts file to desktop or any other folder you don't need administrative privileges to save stuff in. Edit with notepad. Put these two lines in it and click save. It'll save it without adding a file extension:
127.0.0.1 a.ekansovi.com
127.0.0.1 ekansovi.com
Copy file, paste it back into \etc and click continue when it asks for admin privileges.
If you're on Linux, I don't know the Linux equivalent to a hosts file, or if that even exists.


also you should do 0.0.0.0 so it just drops it rather than routing it to yourself

>>61019725
>>61019217
only blocked part is the system32 shit

>>61019725

>also you should do 0.0.0.0 so it just drops it rather than routing it to yourself

What do you mean? Replace 127.0.0.1 with 0.0.0.0?

>>61019748
yes
your computer gets word you want to connect to ekans
it asks DNS file where to go
it sees 127.0.0.1
it connects to you and tries to communicate with it

if it's 0.0.0.0 it just drops the packet and never tries

>>61019721
You're, right my bad.

Here's the script if anyone is interested.
https://pastebin.com/yCe3WVpx

>>61019748
https://www.dslreports.com/forum/r24621780-hosts-127-0-0-1-vs-0-0-0-0

127.x.x.x is YOU
so you're talking to yourself or trying to
since you don't run a server after a few tries it'll drop
but 0.0.0.0 is auto drop

>>61019421
You can do that in the hosts file but you need to replace the default DNS resolver, i use acrylic DNS proxy for that

just remember to replace the dns servers in the config file since it uses Google dns servers by default

after installing it edit your connection settings to use 127.0.0.1 as primary DNS server and edit the acrilyc hosts file with the sites you want to block

You will be able to use *. to block entire sites after that, and it also stops windows 10 hardcoded domains from being able to connect so no more botnet

>>61019741
see
>>61019318
>>61019344

holy hell this is fucking awesome.
I never in my wildest dreams thought i'd see something of this caliber on 4chan of all places.
they must be looking for someone really hard, they're pulling out all the stops for this shit.
something is going to go down soon and I can guarantee it's because of the trump administration.

>>61019764
>>61019780
Got it, done. Thanks /g/ents

>>61019784
This stops all Windows 10 telemetry? I was under the impression only a hardware firewall could do that.

>>61013637
>the website is literally hosted on the same server 4chan is hosted on

Is that true or was he bullshitting

>>61019806
Windows normally respects entries in the hosts file for ordinary user applications (like, for instance, non-MS web browsers), but they hardcode some things in the bowels of windows, so system components will talk to microsoft regardless of the hosts file.

In fairness to microsoft, this was probably at least partly motivated by the fact that a common malware trick for a long time in the XP era was to use the hosts file to kill connections to windows update and to the homepages of things like Spybot and other anti-malware outfits.

how about blocking google-analytics?

>>61019839
it was, it seems to have changed

haven't looked at the XHR data for a while either

>>61019849
I already do that

Here's the script attempts to embed on the page when certain conditions are met

https://pastebin.com/dgqHbNpz

but why? and how are the conditions met?

>>61019855
thats because its fucking cloudflare

>>61019849
0.0.0.0 analytics.google.com or whatever it is

just run pi-hole

>>61019867
>when certain conditions are met

You mean like when you open any random thread on /v/, /g/, /pol/ etc?

Because thats when it appears in the log for me

>>61019876
their cloudflare ips are different goyo

Why are you spoonfeeding all the retards in this thread? This is why /g/ is so shit. These idiots think it's okay to come here and beg for help with all their pc issues. Send them to /sqt/ or >>>/wsr/.

>>61019784
>it also stops windows 10 hardcoded domains
>>61019847
>but they hardcode some things in the bowels of windows
This appears as if you are saying this method is a viable software-only method for completely stopping all Windows telemetry. Am I interpreting this correctly, and has this been tested?

>>61019876
>>61013719

>>61019879
0.0.0.0 www.google-analytics.com
doesn't work, reloading the page and I still see it on ublock logger

a.ekansovi.com and ritogaga.com
both have the same styling when requesting a non-existant page

>>61019919
well it's not 81.171.8.138 anymore cuz that gives a different response than this fucking gay ekans site does

>>61019806
It does block them I got pissed off because they werent getting blocked in my hosts file that I searched how to block them, after a few days I found acrylic and managed to block them

Windows still tries to connect to those domains though, like with go.microsoft.com there's always tons of request of it in my DNS logger even though they all resolve to 0.0.0.0

>>61019929
JS will still try to make the request, so addons will still see the request. But your kernel's networking subsystem will do DNS resolution for google-analytics.com, get 0.0.0.0 back, and give up immediately. The JS, if it bothers to check for errors (almost no JS does, shitty, shitty language and culture) will find that the request it made failed. Probably with a destination unreachable or something similar.

>>61019958
That's pretty fucking awesome, anon. Thanks.
/g/ approved DNS servers anyone?

>>61019983
dnscrypt-proxy

>>61019909
That first answer wasn't mine, he was someone else, they do get blocked you can try for yourself acrylic is open source and its not that hard to install

>>61019983
>/g/ approved DNS servers anyone?
Most OpenNIC ones and dnscrypt.eu if you can use dnscrypt
Avoid OpenDNS almost as much as Google DNS
You can also run your own DNS server but of course this won't do outside your home network (unless you have a static IP)

Why should anyone care

>>61020005
Fuck off hiroshima

>Another useful feature is called "Behind the scene". You find it listed in the page selection menu, and it lists requests that uBlock cannot associate with a domain.

>This includes among other things requests made by the browser itself, made by extensions, and by websites if technologies such as hyperlink auditing are used.

Ok so once again it seems like the ekansovi showing up for in Behind the scene logger are just the requests being listed, not any actual connections, since its been blocked in hosts after all.

TTL on the dns records are only 5 minutes and Im pretty sure theyve changed multiple times within the hour

>>61020005
Have you read 1984?

>>61020026
yep as I said they keep changing the ip

regardless of cloudflare

>>61020037
anyone up for jacking the domain? registered with amazon

>>61020053
huh?
it's regsitered on name.com

https://who.is/whois/ekansovi.com

>>61020077
>Name Servers
>adrian.ns.cloudflare.com
>173.245.58.57
>terin.ns.cloudflare.com
>173.245.59.236

So wait, it's just some cloudflare shit?

File: Screenshot_13.png (55KB, 587x714px) Image search: [Google]

55KB, 587x714px

>>61019958
here's how it looks like when they get blocked by acrylic

etc\host

>>61020077
my bad, was thinking of mojigaga.com
anyway, it should be easy

>>61020094
before cloudflare, the ip was>>61019919
that crossthread one

but now it doesn't work and all the IPs are cloudflare
81.171.8.138
this is the ONLY Ip that has routed to that site that isn't cloudflare
https://whois.arin.net/rest/net/NET-81-0-0-0-1/pft?s=81.171.8.138

arin says it's a eurotrash ip

https://pastebin.com/Zp61Pvny

some gay guy I know made the code from the ekans site more beautiful

> I don't understand the first function though it will never run

>>61020159
...why?

How do you xor the strings in js?

>>61020159
>2245760 == 1416070001
noticed that too, very strange

>>61020180
yea he asked me about it, I have no idea.. haven't seen anyone post that at all or ask about it.
>>61020167
>BEcause anytthing after && relies on the first condition being true
>It will short-circut after the comparison because those two numbers aren't the same

another thing about this is, if you're behind a proxy or VPN, and do not have a webRTC blocker add-on installed, this script now has your real IP address

>>61020195
(google webRTC leak)

>>61020191
>So unless that first number is dynamic, it's will never create the image

File: 1497973609311.jpg (7KB, 250x243px) Image search: [Google]

7KB, 250x243px

Why do you care?

>>61020204
>Not caring about the code being run on his machine

>>61020180
>>61020202
actually, duh, you provide the number in the URL query and generates the script with that number. so it shows they're looking for someone/something specific

>>61020234
see: http://xhr.ekansovi.com/ljs?p=2245760

>>61020209
It's a fucking website.

>>61020234
that's why 1416070001 is all the fucking over the place in their code
>>61020195
how do I disable webrtc

>>61020204
>>61020036

>>61020256
if you're using chrome: https://chrome.google.com/webstore/detail/webrtc-leak-prevent/eiadekoaikejlgdbkbdfeijglgfdalml?hl=en

>>61020257
I was born in 1989, what about you? Retard

>>61020274
so I disable it?
"disable non-proxied"

>>61019213
There is a part of the tech sector in Israel called Download Valley. Superfish, of Lenovo self-destruct fame, issued forth from one of the Download Valley companies.
Presumably it's an artifact of Israeli laws around installing things on people's computers or something.

>>61020275Go back to you watch threads faggot

>>61020275
1984 is a book about a dystopian future where the government has omnipresent spying on its citizens and uses it to eliminate political dissenters.
Just because (it doesn't appear as if) the government isn't using spying data to eliminate political dissenters now doesn't mean they can't and won't use spying data they're collecting now to eliminate political dissenters later.
It's a legitimate concern.

And this bothers me?

>>61020288
No, the default is fine. installing the add-on is enough to block the leak.

>>61020309
>>61020204
>>61020005
fuck off ekansovi

File: blok.png (3KB, 1911x30px) Image search: [Google]

3KB, 1911x30px

>>61017643
>What is Ekanso-

blocked.

File: blok2.png (8KB, 1007x197px) Image search: [Google]

8KB, 1007x197px

>>61020342

>>61018630
I have ublock origin and i also see them

anyone know how to get into the stun:// without writing fucking javascript?

from the source it connects to
stun://a.ekansovi.com:6001

and the password is possibly "00000000000000000000000000000000"

>>61020338
Why are you samefagging so much instead of telling us why we should worry? Are you perhaps autistic

File: 1478223295899.png (1KB, 142x20px) Image search: [Google]

1KB, 142x20px

>>61020247
Oh shit, it's the same number for me.

File: image-w1280.jpg (142KB, 1280x720px) Image search: [Google]

142KB, 1280x720px

>>61020430
>password is possibly "00000000000000000000000000000000"

I like how this is going

Does ekansovi only show in specific browser?
Because when I use safari, I don't get that, but in chromium, I get that. Or maybe unlock in safari doesn't detect it?

>>61020501
if you clicked the link I crafted then no shit

>>61020499
Its a very advanced tracker, still trying to figure out the logic behind it. its obviously looking for something. best to have it blocked.

>>61020525
nope
tested on 7 different operating systems with all browsers and different IPs and different physical computers

>>61019372
>hosts file didn't help
Depending on OS/Settings you may have to clear DNS cache too.

Some Software use their own Lookup methods to work around users changing their host-file or having a DNS that blocks certain domains (for example Chrome and stuff based on that).
Those usually use Google DNS 8.8.8.8, 8.8.4.4 and ignores your host file. They may also find the DNS from your provider and ask it directly.

Using DNSquerySniffer from Nirsoft can give you a hint about what DNS are used.
You may also want to block all UDP/TCP DNS calls to anything except those 2-3 you explicitly allow. Thus making it a bit harder for trojans to send/receive data since port 53 usually allowed by every possible firewall for everyone.

>>61020538
>if you clicked the link I crafted then no shit
Oh, lol. Silly me.

>>61020538
see if it's testing for browser capabilities or vulnerabilities

>>61018703
>ekansovi
>ekans ovi
>snake ovi
>snake oiv
>snake oil

File: shockedtsundere.jpg (115KB, 419x402px) Image search: [Google]

115KB, 419x402px

>mfw I realized it might be looking for FBIAnon

>>61020576
Yes, ad networks are looking for a greasy larper

>>61020576
Who?

>>61019709

This is actually a major problem for web developers. None of the dev tools built into Chrome are any use at all looking at what a websocket is doing.

File: Screen Shot 2017-06-22 at 12.11.57 PM.png (99KB, 1016x386px) Image search: [Google]

99KB, 1016x386px

>>61020540
Weird. This is from my safari (left) and my chromium (right). But well I get >>61018537 when checking the source in safari though.

>>61020609
is safari even capable of running the shit?
I didn't try that browser myself

>>61020525
If you look at the pastebin in the op, it explicitly checks for safari in g(a), though who knows what it's doing or why.

>>61020622
Do you mean using ublock origin?
Yeah it can
https://github.com/el1t/uBlock-Safari

>>61020646
no lol. I mean the web socket and connection

>>61020658
Yeah it's supported as far as I know.

>>61020643
Damn, then I need to filter ekansovi in host level for making sure it's safe too. Thanks, anon.

How can I be 100% sure I blocked it?

>>61021041
try to go to the website

does it work?

@@||4chan.org$domain=4chan.org
@@||4cdn.org$domain=4chan.org
@@||googleapis.com$domain=4chan.org
||*$third-party,script,domain=4chan.org
||*$third-party,xmlhttprequest,domain=4chan.org
||*$third-party,websocket,domain=4chan.org

>>61020607
Have you heard of wireshark and pcapdump?

>>61019636
This

An anon posted this link and it got delet

https://github.com/Floens/ChanTracking/blob/master/pages/home.html

If I have a separate anti-malware program managing my hosts file, and I'm alsio using a uBlock Origin hosts list, does one trump the other? I don't see that Firefox has added anything to my hosts file when I check it.

>>61020363
>>61020342
blocking https://xhr.ekansovi.com is not sufficient, you fool.

>>61022479
Yeah, my bad for being paranoid

That git just has the 4chan source on it - 1416070001 appears in the 4chan source.

>>61020180

>>61020363
>>61020342
Get a load of this fucking idiot.

If you dump the script that gets evald there is a "the cake is a lie" text in it

To dump the script after decryption just do this.
1. put bp on first line of sources
2. go to console

eval = function(x){

alert(x);
}

3. let it run.

>>61022593
no and you're stupid to ask

File: so salty.png (21KB, 501x419px) Image search: [Google]

21KB, 501x419px

>tried to unblock ekansovi.com in uMatrix and uBlock until no more wss connections were blocked in Console
>new friends popping in uBlock's dashboard
>adswithsalt.com

so it's just hirojew playing with us all along

>>61022936
I guess I should have asked it this way. Does uBlock Origin have the ability to edit my hosts file?

>>61022964
>can a browser extension that's not pure malware edit my host file?
once upon a time /g/ wasn't so shitty
I blame phoneposters

File: chrome_2017-06-22_19-19-37.png (26KB, 493x382px) Image search: [Google]

26KB, 493x382px

use a proper blocking tool

>>61022964
no and you're stupid to ask

>>61023024
why does it look like that

>>61023055
the shit to the left? That's "advanced mode".

>>61023055
>>61023069
https://github.com/gorhill/uBlock/wiki/Advanced-user-features

>>61023024
>blocks all third party
>blocks all third party scripts and frames, as if this was necessary
>manually unblock every single cdn site and third party site
>aussie
3/10, use uMatrix at least
and you'll have some surprises if you look at chrome://webrtc-internals/ once you refresh a 4chan page, even with all that fuckery, stun:a.ekansovi.com:6001 will knock at you anyway. You'll NEED the latest uBlock Origin Extra.
Oh, and if you have uMatrix as well in Chromium, then again you'll see STUN requests until you add uBlock Origin Extra.

>>61023107
well shit thanks for the info at least.

fwiw I don't unblock "every single cdn", just shit I need. I'm not so tinfoil I don't use google or imgur, I just don't want my shit uploaded to putin.ru without me saying so.

>>61023107
>using chrome
>caring about privacy
why

>>61023153
because firefox has lost all direction, why use something copying chrome half the time and making dumb decisions the other half when you could just use chrome? mozilla need to cut the fat and get focused on making firefox great again.

>>61023176
Pale moon.

>>61023176
Nice job dodging the question. Even if they have women in charge, at least there is some expectation of privacy. With Chrome, you have zero. Also, see: palemoon

>>61023176
>use chrome
The browser designed from ground up to spy on you.
Don't let google and anyone the sell or forced to give info too ever again miss a single click from you.
Thanks to chrome they no longer need a camera in your apartment.
They can reconstruct your movements depending on the exact interaction with your computer.

Apply this into 'My filters' of uBlock Origin.

! 3/30/2017, 2:48:59 AM http://boards.4chan.org

ekansovi.com

reminder that if you see ekansovi shit on chrome://webrtc-internals/ you're still vulnerable

>>61023197
>>61023216
Google knows everything about me already. Google already knows everything about you, probably. I don't give a shit if all my information is going to Google. They've had my email for over a decade, they have every search I've ever made, pretty much every IM I've ever sent, they're inside my phone, and they have a growing AI division. That fight was lost long ago.

I'm just trying to stop random script kiddies running code in my browser.

If you want to use firefox I have no problem with that, but I use chrome.

>>61023241
>chrome://webrtc-internals/

Something like this at the start of this is bad, even if you've blocked the URL outright?

>>61017643, { iceServers: [stun:a.ekansovi.com:6001], iceTransportPolicy: all, bundlePolicy: balanced, rtcpMuxPolicy: require },

>>61023024
Newfag here.
The left one is for global rules and the right one is for local rules, right?

>>61023271
yep, apparently we need https://chrome.google.com/webstore/detail/ublock-origin-extra/pgdnlhfefecpicbbihgmbmffkjpaplco/related?hl=en

I saw on the github he made a commit specifically to include 4chan.org, Perhaps someone could explain why we need to 'foil' these "early" connection attempts on a case by case basis instead of globally blocking the root cause of this kind of shit?

File: 4c.png (6KB, 385x197px) Image search: [Google]

6KB, 385x197px

>>61023271
yes, use uBO Extra

>>61023281
yep

>>61023290
How do I bring up that context menu for uBO Extra?

File: 2017-06-22-095825_365x515_scrot.png (22KB, 365x515px) Image search: [Google]

22KB, 365x515px

>feel when 4chan is as bad as jerusalem online for jewing its users

File: file.png (302KB, 640x400px) Image search: [Google]

302KB, 640x400px

>>61023290
Talking about this one they use in the chrome web store picture.

>>61023261
>If you want to use firefox I have no problem with that, but I use chrome.
After analyzing "Iron" and found tons of trickery still left inside they had missed to clean out, I gave up on Chrome or any derivate.

Firefox with tons of extensions and tons of about:settings changes is probably decent (since TOR use it), but in default mode it's just as bad as chrome.

That's why I don't use any of the popular browsers, but I do masquerade as one. Not something I recommend since it's more work getting shit to work.
Not only trojans have problems running in my configuration - it's everything else too!

File: Screenshot_20170620_111825.png (221KB, 562x849px) Image search: [Google]

221KB, 562x849px

>>61019798

>>61023287
because you can't disable WebRTC on Chrom(e,ium}
and u{Block Origin, Matrix} don't address WebRTC

>https://github.com/chrisaljoudi/uBlock/issues/645#issuecomment-72291619
not in Firefox
not in Chrom{e,ium}

at best, uBlock Origin will show you an option to "Prevent WebRTC from leaking local IP addresses" but won't intercept and filter WebRTC requests.
This happens in both Firefox and Chrom{e,ium}; but at least in Firefox you can disable WebRTC completely.

>>61023261
You are part of the problem.

>>61023666
Thanks

there's
>https://github.com/Eloston/ungoogled-chromium
>Disable WebRTC (will be configurable in the future #179)

allegedly it's not a fork
>ungoogled-chromium should not be considered a fork of Chromium
just a set of
>configuration flags, patches, and custom scripts

pick you poison: use an upstream that allows you to disable WebRTC even when you have js running
or
use an upstream that doesn't allow you to disable WebRTC so you have to
- rely on third-party addons with pre-compiled lists of rogues sites (see uBO-extra)
- resort to disabling js completely (WebRTC doesn't work if js is completely disabled)
- revert to "forks"/unbranded versions of the upstream

File: Screenshot_20170620_141316.png (110KB, 489x557px) Image search: [Google]

110KB, 489x557px

Exposing our true identities is someone's idea of punishment for 4chan getting Trump elected

>>61017643
chinese moot sold us out

>>61024271
Regular moot sold you out too.

>>61018916
>XOR encryption is unbreakable even in theory if the data XOR'd with the data to be encrypted is random and if the random data is the same length as the date to encrypt

File: 1448831563817.png (1MB, 1280x720px) Image search: [Google]

1MB, 1280x720px

>obfuscated non-free java-script

>tfw botnet wants you to stop shitposting

>>61024427
How is that any different from OTP?

File: webrtc was a mistake.png (3KB, 1141x26px) Image search: [Google]

3KB, 1141x26px

Friendly reminder that
if you're using firefox
and you're not disabling WebRTC completely
so that you don't see this message in Console
you're exposed. You won't be able to see STUN in ff @ about:webrtc as you do in chrome @ chrome://webrtc-internals/
but you'll see adswithsalt.com coming through in your uMatrix/uBlock dashboards

>>61024715
btw, adswithsalt has already challenged ad blockers in the past
>https://github.com/uBlockOrigin/uAssets/issues/209

>>61020329
No it isn't. None of the settings in that extension will block WebRTC on Chrome.

Check chrome://webrtc-internals and the connection will still be made.

The only way to block it in Chrome is with hosts file but if they change the subdomain you'll need to realise and block it again.

Firefox can properly block WebRTC. Chrome can't currently

File: laughing_girls.jpg (86KB, 420x238px) Image search: [Google]

86KB, 420x238px

>he doesn't have Ghostery and AdBlock Plus

laughing_ekansovi.exe

>>61024830
dear fucking God, read the motherfucking thread you fucking millenial

if it was a ruse, 10/10 you rused me

File: peerconnection.png (3KB, 481x92px) Image search: [Google]

3KB, 481x92px

>>61024715
>>61024749
in firefox you may use normie-friendly addons like https://addons.mozilla.org/firefox/addon/privacy-settings/ with these media-related settings

>>61024706
Does not follow the same mechanics but I guess the principle is the same.

My point was to not underestimate how strong XOR encryption can be, if properly implemented, since some anon seemed to be making fun of it

File: Capture.png (98KB, 784x373px) Image search: [Google]

98KB, 784x373px

>>61024850
Sorry, that was a ruse actually :^)

But, seriously guys - we all know how to block this now. The real question is - what is it doing, and why is it embedded on 4chan?

>>61025118
see again
>>61024749
>>61016560

>>61019636
>>61022035
Not enough, see >>61024715 , >>61023107

How many 4chan users are going to either install uBlock Origin Extra in Chrome-related browsers or disable completely webrtc AND use at least uBlock Origin?
My guess is that it wil be a number negligible enough for the "advanced users" to still stand out and be backtracked

>>61025343
This.

It's probably safer to disable uBlock entirely lads... nothing to hide nothing to fear :^)

>>61023024
What the fuck are you doing you dumb ass? Use "noop" not "allow"

>>61020589
anon from /pol/, claimed to be ex-/FBI, posted various pictures and stories that couldn't be found anywhere else.

Once again proving WebRTC was a mistake.

>>61023024
use proper "noop" rules, not "allow" rules.

Pale Meme doesn't have WebRTC.

If I don't see it in Ublock's content logger. then i'm good?

>>61025515
It *should* be blocked now but it doesn't show up in the general view in firefox it shows up under behind-the-scenes for some odd reason apparently related to webrtc

>>61025515
no, read the thread.

>>61025515
Also download uBlock Origin Extra from chrome Store.

So wait

What if you're only using Clover to browse?

>>61025724
I think those clients just download the json file and the images/media and ignore the rest of the page so I don't think they were affected, probably.

>>61025524
So if I disable WebRTC then it should stop right?

File: 1487289337554.png (147KB, 1262x778px) Image search: [Google]

147KB, 1262x778px

Another solution, if you're using 4chan x, you can block all requests coming from the 4chan scripts in Settings -> Advanced -> Javascript Whitelist

Pic related, my config

This will prevent it from executing without installing more add-ons.. but of course hirochink could just add the tracking code to the 4chan js itself.

>>61025724
you should be safe. clients typically stick to API calls. wouldnt make sense for them to run any javascript

>>61025515
the logger is irrelevant

open a console (I assume you're on firefox)
you should either see the pic in >>61024715 if you have disabled WebRTC completely

or this message

Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”).

if you didn't disable WebRTC completely BUT you updated recently uBlock Origin's filters.

In the first case you are ALWAYS protected
In the second case you are protected ONLY ONCE, thanks to an explicit rule ( see >>61016560 ; it injects a fake CSP)

If you're on Chromium: you can't be ALWAYS protected, you have to download uBlock Origin Extra and rely on hard-coded lists, so you're bound to be protected only ONCE (if the domain changes, you're busted)

>>61025772
It apparently falls back to using XHR if you disable WebRTC but the good news is you can easily block those through the usual filters. You should disable WebRTC anyway because it's a huge security risk at this point.

>>61025776
I should have 'self' commented out there too

>>61025754
>>61025776
t. jewmoot

these "javascripts" are enabled if you enable any javascript on 4chan at all.

>>61025724
>mobile poster gets busted
and nothing of value was lost that day

>>61025794
>if you didn't disable WebRTC completely BUT you updated recently uBlock Origin's filters.
uBlock Origin takes precedence it seems, so the "Content Security Policy" error will be logged if you have updated uBlock Origin's filters recently no matter if you have disabled WebRTC completely.

So is anyone going to address the problem with firefox that allowed this potentially malicious website to slip by every content filter?

>>61025915
>the problem with firefox
the problem is with any browser and it's called WebRTC. It's more a problem for Chrome users, since they can't disable it entirely.
The problem has been addressed extensively, read the thread.

>>61025935
Is it really just webrtc behaving correctly? How is bypassing everything and running in the behind-the-scenes scope normal? Why isn't webrtc assigned its own scope if it doesn't run in any of the other ones?

>>61022637
>1416070001 appears in the 4chan source
Why tho? 2012-01-01

>>61018492
There was a huge thread about it on Tuesday.
to tl;dr it, this may or may not be able to tie a user's IP to their posts.

test

File: 1495867210872.png (167KB, 1340x362px) Image search: [Google]

167KB, 1340x362px

How come I don't have it? Does that mean I haven't been naughty like you guys?

>>61025794
WebRTC is disabled and I see that message. So I should be set?

>>61025509
Jah bless

>Tought I was safe since the very first thread about this shit cause it didn't show up on umatrix
>Checked ublock hidder requests today just because was curious
>ekansovi

Feels Bad Man

How do you block Google without breaking captcha? I can't post otherwise. Fuck paying gookmoot.

>>61026179
Yeah, the WebRTC bypass has fucked us all

>>61026179
it shows up behind the scene logger for me too, even though I blocked it in hosts

>>61026239
It will because the javascript is still running on the page. The blocker only stops the connection attempt from working so whatever it's doing is kept on your machine.

>>61023241
>chrome://webrtc-internals/
>ERR_INVALID_URL
so i'm basically safe?
and yes i'm using chromium

>>61026272
I see, thanks for clarifying.

>>61026239
Blocking WebRTC fixed this for me but actually what the fuck is going on?
I'm actually glad I'm not from US so if this are the feds they wont get me.
Hopefully none of you guys gets shit from it too.

Are there any other vectors aside WebRTC and some scripting shit? I'm using uBlock and noScript and it doesn't seem to be doing any connections anymore, am I safe now?

The actual tracking pixel comes from s0.2mdn.net

Whois for s0.2mdn.net says it was registered using Google DNS by MarkMonitor, Inc.

>MarkMonitor Inc. is an American software company founded in 1999. It develops software intended to protect corporate brands from Internet counterfeiting, fraud, piracy, and cybersquatting.

>>61026339
Check the Tor browser, they are trying to remove all fingerprinting, etc

>>61026179
>Checked ublock hidder requests
How?

>>61026454
behind the scene

File: bts.png (9KB, 552x166px) Image search: [Google]

9KB, 552x166px

>>61026454
>>61026467

File: 1473252509187.png (74KB, 992x880px) Image search: [Google]

74KB, 992x880px

>>61026467
>>61026488
Oh, I see. It still doesn't show for me though. Maybe I don't have it, which would be weird since my posting habits seem to be in line with those who claim to have it.

>>61026517
Why is the favicon requested multiple times a second? github fucking sucks

>>61026372
I know about Tor but firefox is really comfy after some tweaking, I'm just curious if there is some way I could see all the requests.
Is uBlock listing them all?

File: 1492195015931.png (840KB, 1176x1000px) Image search: [Google]

840KB, 1176x1000px

>>61026539
I-I don't know. I was reading some documentation for a bit but now that you mention it, it's kinda weird.

>>61026550
ublock can show "hidden" requests that the browser itself makes. Firefox/Chrome hide those so people don't mess with them. Other than that I think they show the same amount

>>61026550
The Tor browser is firefox with privacy tweaks. (Though js is still enabled by default which will probably result in people being killed)

>>61026626
No self-destructing cookies though

>>61026600
It is then, thanks

>>61026135
Yes, you're safe

>>61026852
Thanks, Anon

>>61026837
Yea, the Tor team are making some very dumb/intelFriendly decisions, they try to explain it away by saying it's to increase users of the tor network but they're only alienating people who know anything about security.

File: cancer.png (2KB, 326x31px) Image search: [Google]

2KB, 326x31px

>>61026852
>>61026339
Update, WebRTC block is not helping

>>61026971
could just be the request showing

>>61017643
cool story bro

>>61026989
oy, the dev commented here.

File: mods.jpg (13KB, 260x260px) Image search: [Google]

13KB, 260x260px

mods are asleep
post sinks

>>61027039
>>61026989
shills. do not respond to this shit

>>61026988
How do I know for sure it is blocked then?

File: NSAISPYINGONYOUFAGGITS.jpg (13KB, 320x434px) Image search: [Google]

13KB, 320x434px

>>61017643
finally

>>61026971
Websocket and WebRTC are two different things. Update the filters in ublock/umatrix (open settings, 3rd party filters, update now) if you didn't do it already.

>>61026971
are you the same guy who >>61026135
>disabled and I see that message
the message being
>Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”).
?
If so, you're showing a /wsm rather than a /wsp request, and it would be interesting to know
- browser version
- status of media.peerconnection.enabled in about:config
- full string

>>61027119
WebRTC is used to exploit uBlock/uMatrix content filtering and to create a websocket.