a.ekansovi.com

>>61017968
bump

File: 1483749598115.jpg (4KB, 208x206px) Image search: [Google]

4KB, 208x206px

Stop telling lies on anonymous imageboards

>>61018387
What is he lying about, varg?

File: 1480456729982.png (348KB, 1814x940px) Image search: [Google]

348KB, 1814x940px

>>61018387
hello Ekansovi

>>61018427
test

I heard it was that Jordan tripcunt from here who trolled the 4chan app maker into adding it.
Too lazy to find the thread about it though, something about obfuscation and coffee scripts

>>61018408
>>61018427
I don't have it. You must have adware or some shit installed.

File: websocket.png (43KB, 1365x663px) Image search: [Google]

43KB, 1365x663px

>>61018483
forgot pic

>>61018482
Sounds halfway right. the connection code is heavily obfuscated. 4chans javascript or some third party? I'm using 4chan-X
>>61018499
do you use 4chan-X?

>>61018530
Yes

>>61018540
you must have s.4cdn.org blocked which is providing the script

File: 2017-06-21 19_39_07-(0) _g_ - a.ekansovi.com - Technology - 4chan.png (15KB, 1747x217px) Image search: [Google]

15KB, 1747x217px

yea deffo odd

File: umatrix.png (30KB, 533x418px) Image search: [Google]

30KB, 533x418px

>>61018716
Yes

>>61018757
all of the connection code is obfuscated

>>61018762
meant to specify script connections, but yea. explains that

unfortunately chrome websocket debugging doesnt show binary payloads, and sniffing with wireshark would require me to decrypt packets manually. so unless someone wants to reverse the obfuscated code, who knows what its sending/receiving

>>61018716

Not him, are you guys talking about
>Use Faster Image Host: Change is*.4chan.org links to point to the faster i.4cdn.org host.
In 4chan-X?
I enabled it in the setting and not blocking it also got no all of this evan bullshitery.

https://pastebin.com/qPFVy1A4
Here's an analysis of it I did for /g/sec. (There are also links to deobfuscated stuff in there)

Normie here. Can anyone tell me in layman's terms what exactly sort of information this is collecting? Also, is removing it as simple as blocking the URL in ublock / hosts and clearing my browser cache / cookies?

>>61021784
>Can anyone tell me in layman's terms what exactly sort of information this is collecting?
We don't know, it's either an ad agency hiromoot contacted trying to bypass ad blockers using various methods, or the NSA/Illuminati/FBI backtracking you

>as simple as blocking the URL in ublock
not really; in latest Chromium, even if uBlock Origin is able to access the websockets api in that browser there are still attempts to exploit the browser/ad blocker via webrtc, so you'll likely need uBO-extra 2.25 (with a special "defuse" rule for 4chan, now added to a list of rogue websites)
>https://github.com/gorhill/uBO-Extra/releases/tag/2.25
In firefox you've better disable WebRTC completely, still you'll see ekansovi.com references in uBlock Origin AND uMatrix even if you keep them both installed (one will block an https connection to ekansovi, the other one will block a wss); the about:webrtc page isn't detailed as in Chromium anyway it won't appear anything if you disabled all those media.peerconnection in about:config (if you're total normie, use an extension like "Privacy Settings" and disable everything under "Media")

adding this ekansovi to your hosts file should always work

>>61017968
>I blocked it in my hosts file to be safe

The only reasonable action to do with the websocket faggotry, besides using a websocket disabler addon.

>>61021908
thanks

File: 1498117524485.png (137KB, 452x846px) Image search: [Google]

137KB, 452x846px

>>61019383
>looks like some analytics for ad clicking
Who clicks ads on 4chan anyway? Sounds utterly pointless.

File: Screenshot_20170620_111825.png (221KB, 562x849px) Image search: [Google]

221KB, 562x849px

very bad

>>61021908
Strange no listings here too

File: Lola_Bunny_Wallpaper.png (2MB, 1280x1024px) Image search: [Google]

2MB, 1280x1024px

Crazy retard Lola > classic Lola

>>61026830
New Lola is best Lola.

>>61023630
We've had hardware backdoors since at least 2009.
Get used to it, 4chan lost its anonimity long ago.

>>61021784

a websocket connection is what you would use when you need to stream data.

They already know exactly what pages you are visiting and exactly what you post, so it isn't that.

they could be using our connection to mine buttcoins

nsa.gov

>>61018499
Check ublock behind the scenes

File: Egg of Ekans.png (28KB, 524x306px) Image search: [Google]

28KB, 524x306px

Is there a pattern to when ekansovi appears and when it doesn't? For me it shows up randomly and continues to be requested on every thread I enter for a random amount of time. And then it vanishes.
The board I'm on, the thread I'm in, the number of posts I make, it doesn't seem to have any effect.
I may be mistaken, but it seem way more likely to appear if I go on other sites. It appeared instantly after I went on Pinterest to see if it would trigger anything back here.

File: 1498014160746.jpg (157KB, 720x1080px) Image search: [Google]

157KB, 720x1080px

>>61017968

it's probably nothing you paranoid autist

>>61028350
it uses WebRTC for that purpose, read the (archived) thread.

What the fuck happened to the other thread. I was just in it.

File: not blocking ekansovi.png (114KB, 1069x673px) Image search: [Google]

114KB, 1069x673px

Why arent you blocking it?

>>61028601
That's not enough. Read the archived thread.

File: huma crying2 28-10-2016.jpg (22KB, 450x300px) Image search: [Google]

22KB, 450x300px

>>61028577
>it's probably nothing

>tfw

>>61026391

Do you have the cookie then?

>>61028576
Follow the steps in >>61027267
if you're using only uMatrix (why? cosmetic filtering is sorely needed) then you have to disable WebRTC entirely. If you're on Chromium, you can't disable WebRTC entirely and you need uBO-extra (and therefore uBO).

>>61028713
I know, but I'm not as concerned with blocking it as I am about learning what it is.

ekans is snake backwards

I'm running Safari on my laptop... I've uBlock Origin installed, and the dev console gives me an error saying: WebSocket network error: The operation couldn’t be completed. Connection refused

AFAIK Safari doesn't even support WebRTC.

Am I safe?

So just blocking ekansovi in my host file should sort this shit out right?

>>61029715
Snakes in literature often represent penis.

>>61030015

And chaos

>>61029937
You should be safe if there is no webTRC
>>61030005
No, you need to block the sub domain as well.

https://pastebin.com/FiWG9vN5
Link for others who don't know how.

>>61030065

Oright cheers

How do i know if i blocked it?

>>61030192
wireshark packet by packet analysis

>>61030033
Yes Jordan, they do.

@@||4chan.org$domain=4chan.org
@@||4cdn.org$domain=4chan.org
@@||googleapis.com$domain=4chan.org
@@||github.io$domain=4chan.org
||*$third-party,script,domain=4chan.org
||*$third-party,xmlhttprequest,domain=4chan.org
||*$third-party,websocket,domain=4chan.org

no need to thank me

Do Linux systems have something equivalent to the Windows Host file?

>>61030359

You dont need to do all this though

>>61030359
Please give a more detailed walk-through for the noobs anon-kun~

>>61030359
>>61030404
>'My Rules' Tab
* wss://a.ekansovi.com websocket block
* wss://ekansovi.com websocket block
Just two lines and done. Make sure you have uBlock Extra installed for chrome based and disable webRTC on Firefox.

>>61030505
Also make you you press save and commit.

>>61030370
Yes, it's on /etc

Anyone else using 4chan x getting an image corrupted message everytime they try to post an image?

>>61030609

Yup

>0.0.0.0 a.ekansovi.com
>0.0.0.0 ekansovi.com
>0.0.0.0 xhr.ekansovi.com
Anything else I need to block?

File: Don't be a pussy, let evans in.png (177KB, 962x770px) Image search: [Google]

177KB, 962x770px

>>61030609
No.

File: 1300996647186.jpg (65KB, 360x277px) Image search: [Google]

65KB, 360x277px

>>61030642

I can post images, im just getting an error message for no reason

File: 20151121_204942.png (444KB, 542x732px) Image search: [Google]

444KB, 542x732px

>>61030609
lets see

File: streaming is for fags.png (720KB, 1169x736px) Image search: [Google]

720KB, 1169x736px

>>61030663
I am not getting the error.

File: 1300469244416.jpg (68KB, 749x540px) Image search: [Google]

68KB, 749x540px

Good for you friendo

>>61018757
That string is literally just the title of the thread.


Wtf happened to this board?

>>61030359
Not enough
>>61030505
and not enough, see >>61028713

>>61030609
Yes, it's a consequence of the updated CSP filter on uBlock Origin. If you have updated your filters recently and you're on firefox, the CSP injection uBlock does unfortunately triggers that error. You can disregard that alert, your image would be uploaded successfully.

>>61017968
It's registered to Digital Ocean when I ran whois

>>61030630
WebRTC, see >>61028713

>>61030663
see >>61030790

>>61030790
>>>61030505(You)
>and not enough, see >>61028713

That's extra shit, its not even needed.

File: Screenshot_2017-06-22-15-25-05.png (211KB, 1200x1920px) Image search: [Google]

211KB, 1200x1920px

>>61017968
>checks 3rd party connections
>have ekansovi unblocked

How mych did I fuck up /g/

>>61030790

>You can disregard that alert, your image would be uploaded successfully.

How do i disregard the alert?

How do I block this without disabling WebRTC ?

Need it for discord

File: Capture.jpg (14KB, 615x34px) Image search: [Google]

14KB, 615x34px

ublock seems to be blocking it just fine

>>61030836
it's needed since uBlock and uMatrix can't perform content filtering un WebRTC AND via WebRTC a new unfilterable websocket is opened. Manually filtering wss won't really filter anything, and it won't show up in the logger. Please check the linked posts.

>>61030862
Disregarding it.

>w3m
Haha fight me ekansovi

>>61030893

>Disregarding it.

Yeah, how

>>61030845
>phoneposter
you kind is beyond salvation

>>61030900
Click "post" and your unacceptable image will be accepted.

>>61030893
Fuck off, I just said the shit on my rules is not needed since the Ublock Filters covers it.

>>61030918

Right my bad, i know that

I thought you were imlpying that you could disregard it in ublock and stop the error

>>61030883
that's not enough, update your uBlock filters. You should see only CSP-related errors.
On chromium
>Refused to connect to 'wss://a.ekansovi.com/wsp' because it violates the following Content Security Policy directive: "connect-src https: http:".
On firefox
>Content Security Policy: The page’s settings blocked the loading of a resource at wss://a.ekansovi.com/wsp (“connect-src https: http:”).

and so on.

>>61030927
>I can't post in an intelligible form
you're pardoned

>>61030904
>phone
a tablet you virgin neckbeard

>>61030965
btw, on Chromium the error doesn't show up in Console if you install (as you should) uBO-extra, to allow early "defusion" of the eval js.

>>61030965
This shit is nothing new. This ekansovi has been here for months.

>>61031017
one month; gorhill looked at it yesterday releasing a new uBO-extra and updating the defualt rules for uBO, explicitly referencing a thread made here.

>>61030997
if possible, that's even worse.

The fact that shit had been running on my computer for a month without ublock or umatrix catching makes me feel even more paranoid than I was before.

>>61031079
what is the worst thing that could have happened?

>>61031079
if you either
- had js completely disabled
or
- had WebRTC completely disabled AND blacklisted explicitly this strange domain
you're golden.

File: 1473171383343.gif (375KB, 300x237px) Image search: [Google]

375KB, 300x237px

>>61031119
>if you have nothing to hide you have nothing to worry amirite guys let's send all our backlogs to some rogue ad company what could ever happen :^)

>>61030630
filtering via hosts is a temporary patch, not a solution
the xhr subdomain doesn't resolve anymore
the a subdomain now resolve to 127.0.0.1, and the same goes for main domain

no more than few hours ago they were live, now they have shut it down (temporarily?)

probably they are shifting domains already.

Disable WebRTC completely and keep your filters updated, that's the only solution. This or stop visiting 4chan I guess

Can you tell if it is completely blocked by whether anything shows up in local storage? I know at least some of the connections store something there, but I don't know if they all do.

Why dont we just kill Hiro and give the site back to moot

He wont jew us

>>61031337
>moot won't jew us
Ahahahaha!

installing umatrix breaks 4chan x, what do?

>>61031549
No it doesn't, you are using it wrong.

>>61031595
how do I use it right then?

File: 2017-06-22 16_15_10-WebRTC Internals.png (49KB, 1306x546px) Image search: [Google]

49KB, 1306x546px

i just installed uBO extra and it seems to have nipped it in the bud. pic related is before. after that screen is completely blank. https://github.com/gorhill/uBO-Extra

it also no longer shows in console that connection was refused (it simply doesnt show up in console at all now).

is there a downside to completely disabling webRTC (or wss) in chrome? if not, how would i do this?

im trying to find a set it and forget it solution, as host files and blocking by hostname are obviously not enough since they can be changed on a whim.

>>61031325
No, looking at your local storage won't tell you if you streamed all your data via WebRTC-activated websockets to (((them)))

>>61031549
uMatrix is unrelated and ultimately not enough; both uMatrix and uBlock can't filter WebRTC. They can filter websockets but this is something different.


>>61031312
I investigated the xhr.ekansovi.com sni tls cert few hours ago and both the cert and the domain were there. Now the subdomain doesn't resolve and the other subdomain resolve to 127.0.0.1.
Nice, (((they))) have taken this botnet down now that (((they))) have been caught using these dirty tricks (and I'd say, this WebRTC exploit)
Probably they didn't like people started to investigate a STUN request did open a websocket to some remote server. Maybe they'll use the trick elsewhere or here with a different domain

>>61030015
Penis eggs, mystery solved

File: 4cha_mod_irc.png (6KB, 711x82px) Image search: [Google]

6KB, 711x82px

¯\_(ツ)_/¯

Hiro must be stopped

>>61031649
>is there a downside to completely disabling webRTC (or wss) in chrome? if not, how would i do this?
You can't disable WebRTC completely in Chrome; wss is a different thing and it could be handled by uMatrix/uBlock, unless it's started using this "exploit".

You should switch browser. If you really can't like firefox, consider ungoogled-chromium (it has WebRTC disabled).

>>61031694
That's inconsiderate. We're not talking about ads, we're talking about a rogue ad company using (pretty literal) exploits.

>>61031694
but its not an ad. tell the mods this. its a security risk.

>>61031735
does Iridium disable WebRTC?

>>61031694

>expecting some 12 yerar old mod to understand the issue

>>61031735
>>61031736
so use the feedback page desu
https://www.4chan.org/feedback
It works.

>>61031753
it has some WebRTC-related enhancements
>https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium
but ungoogled-chromium seems to gather the patch for this from the inox patchset
>https://github.com/gcarq/inox-patchset

File: 1496373819857.gif (16KB, 205x274px) Image search: [Google]

16KB, 205x274px

>>61030609
Test.

My ubo shows green for this domain does that mean I dont have the right filters?

Are developer or nightly worth getting over regular firefox?

>>61031678
>Probably they didn't like people started to investigate [how] a STUN request did open a websocket to some remote server. Maybe they'll use the trick elsewhere or here with a different domain
what's worse if that this "incident" will now be forgotten (I wouldn't be surprised to see ekansovi completely disappear from the pages now that they've taken it off); but pretty much everyone with WebRTC enabled (the standard in any modern browser) could have sent (and could send in the future) who knows what to who knowns who on pretty much any web page running javascript.

>>61031943
You're ok; assuming you're on firefox, if you check the Console you'll probably see that the connection has been blocked via Content Security Policy thanks to the new uBlock filters.
Note that however now a.ekansovi.com resolves to 127.0.0.1...

Domain is nowhere listed in my enviroment.

Not in pi-hole log
Not in local DNS logs
Not in uBlock
Not in Firefox
Not in NoScript

Made a blacklist entry in pi-hole just in case

File: ekansovi.png (91KB, 1905x913px) Image search: [Google]

91KB, 1905x913px

>>61030800
Please elaborate

>Web Category: Content Server
>Activation:
>Last Seen: 2017-06-22

>>61031988
>Note that however now a.ekansovi.com resolves to 127.0.0.1...
and you don't have to believe me, if you don't have a terminal at hand check yourself here

https://www.digwebinterface.com/?hostnames=a.ekansovi.com&type=&ns=resolver&useresolver=8.8.4.4&nameservers=

>>61032007
filtering the domain name is moot, see >>61031312 and replies

File: moot smile.png (142KB, 259x348px) Image search: [Google]

142KB, 259x348px

>>61032037

>filtering the domain name is moot

File: poop.webm (2MB, 1600x1200px) Image search: [Google]

2MB, 1600x1200px

>>61031312
>Disable WebRTC
Palemoon doesn't have this problem.

Also, disabling websockets entirely is what people should be doing.

>Thinking you can stop (((them))) from getting your data

Fools

File: dig.png (184KB, 484x1970px) Image search: [Google]

184KB, 484x1970px

>>61031988
Thats interesting.

>>61032152
few hours ago it pointed to CF servers.

>>61032037
Fine. I disabled webrtc in Firefox.

I won't disable websocket though because html5

>>61032172
Is almost like they literally
>the goyim know. shut it down.

File: 1472688470282.jpg (21KB, 200x283px) Image search: [Google]

21KB, 200x283px

>>61031944
>using firefox

File: Lolwutmate.jpg (47KB, 600x623px) Image search: [Google]

47KB, 600x623px

>>61032198
>using SJW BOTNET...

>>61032175
>I won't disable websocket though because html5
>nug gaymes

>rogue ad company

oh no i might see an ad for penis cream

who cares

>>61031694
I want to creampie nana chan. Also, what do IRC mods even do nowadays? You can't even ask them to review bans now.

>>61032277
We don't know if it's really that though. Kind of strange how it likes to pop up whenever /pol/ is involved.

>>61032277
>there's an exploit right here affecting any browser which could siphon your data on any website running js
>let's make a joke on penis creams

>>61032281
>I want to creampie nana chan. Also, what do IRC mods even do nowadays? You can't even ask them to review bans now.

why ask anyone to review a ban?

I go through 5 IPs a day

File: 1476069237035.jpg (33KB, 193x350px) Image search: [Google]

33KB, 193x350px

>>61032277
>rogue ad company

They seem a little on the ball for a rogue ad company

>>61032321
Because some people aren't willing to drop money on a VPN or they don't have a dynamic IP

>>61032334
>Because some people aren't willing to drop money on a VPN or they don't have a dynamic IP

What service are you using, you can force an IP change if you have access to your modem

nothing like delivering some pizza to /mu/ or /lit/

they get so butthurt you would not believe it

File: 1478259085183.png (117KB, 326x345px) Image search: [Google]

117KB, 326x345px

>>61032277
https://www.youtube.com/watch?v=EsyoK02F27E
https://www.youtube.com/watch?v=6KFz9WRRNpk
Fuck off, considering who runs the website it's basically guaranteed this is something more.

Ever since this ekansovi thing started appearing I had it blocked on uMatrix, plus I've always had webrtc disabled through about:config
Do I need to worry?

File: ss.png (43KB, 1223x554px) Image search: [Google]

43KB, 1223x554px

>>61032152
>>61032172
robtex is now exposing this

and I bet that >>61030800
>Digital Ocean
this anon mentioned was made in reference with IPs there exposed, belonging to DO
so this suggests that this botnet was running on a DO droplet that hasn't always been filtered through CF
at least the "a" subdomain "slipped" at least once

>>61032391
>blocked on uMatrix
>plus I've always had webrtc disabled through about:config
you seem safe

>>61032415
>about:config
What's the Chromium equivalent?

>>61032436
You can't disable WebRTC in Chromium, see >>61031735

>>61032354
Nah I don't have problems with that kind of stuff I was just telling you generally why people care about bans.

>>61032393
a.d.mojigaga.com now points to 207.154.212.192 , DO again
this time it's not "hidden" through CF and it uses AWS nameservers

>>61032393
the AS and the ip block are DO.

>>61032415
Good. I remember noticing it at least a few months ago. But the only ones talking about that were people on /qa/ so I thought there was nothing to worry about. Nevertheless, I checked on both uBlock and uMatrix logs and they blocked it. I also added a new rule ||ekansovi.com$important just to be sure. But I completely missed the websocket thing, so that's what I was worrying about. Good thing I've disabled webrtc since day 1, if that was the actual exploit.

>>61030688
can you block ads on vaughnlive?

>>61032658
Not the video ones since its flash. Just use a program that allows you to stream it to mpv.

Using ublock origin. I had it yesterday when it was discovered. Seems to have gone now?

>>61032775
see
>>61032195

>>61032007
$ pihole -q ekansovi.com
::: /etc/pihole/list.preEventHorizon (0 results)

::: /etc/pihole/blacklist.txt (2 results)
ekansovi.com
a.ekansovi.com

>>61032332
>They seem a little on the ball for a rogue ad company
It's possible they monitor popular adblock lists, considering it was added to ublock origin yesterday.

>>61032393
>>61032152
>>61032037
>>61032172
for future reference

http://archive.is/20170622223009/https://www.robtex.com/dns-lookup/ekansovi.com
http://archive.is/20170622224240/https://www.robtex.com/dns-lookup/a.ekansovi.com

File: 1440523273822.png (121KB, 600x600px) Image search: [Google]

121KB, 600x600px

>Block ekansovi
>Captcha stops working in other threads

File: pemex 2300.jpg (4KB, 300x57px) Image search: [Google]

4KB, 300x57px

>>61033740
Are you using the street sign captcha?

>>61033775

Nah the select the squares one

>https://www.linkedin.com/company/10339396
>We believe in Fair Play. It balances between users’ right to expect a good and safe browsing experience and publishers’ right to control their online business, including the ad experience they provide.

Don't y'all want that fuzzy ad experience, mmmh?

>fair play
>exploiting WebRTC

>>61033740
>blocking 127.0.0.1

>>61033775
v1 and v2 captcha should work even with the latest uBlock additions and whatnot

adswithsalt dot com was called into play when evansovi wasn't blocked

so maybe rather than directing all the blame on uponit something like tisoomi.com/tisoomi-services.com should be investigated

>Thanks to years of experience in online marketing and advertising our team has created the best solution possible for this problem.
>We are able reach user with advertisement even though an AdBlocker is active.

File: Screenshot from 2016-12-03 15-17-28.png (141KB, 303x425px) Image search: [Google]

141KB, 303x425px

>>61033804
Ah I miss those, but the noscript v2 one doesn't seem to work anymore.
>>61033808
I never asked if they work.

>>61030370
autistic

>>61033960
>I never asked if they work.
You stated they don't work in other threads because of (causation) or after (correlation) a not better defined block you put in place, so yes, you never asked. You just assumed. Wrongly.

>>61031123
how do I entirely disable webrtc entirely?
I have this stupid leak prevent addon but I just want to get rid of it all together
fuck it

I've always had "stop webRTC from leaking local address" and updated filters every day on ublock origin. I'm good, right?

>>61034031
No I didn't. I asked "Are you using the street sign captcha?" to rule those out. You replied to the wrong person.

>>61032306
>Kind of strange how it likes to pop up whenever /pol/ is involved.
It appears on every board I visit, even if there's no /pol/ shit around.

>>61034146
it appears on 4chan.org. regardless if you're on a board or not..
he has autism
it's in the main website's javascript to load the fucking site.

>>61034089
you can disable it entirely only on firefox; if you don't want to mess with about:config settings you can follow >>61024955

>>61034103
No, that's completely unrelated. uBlock can't perform content filtering on WebRTC. It simply prevente a leak.

>>61030370
Yes it is in a more sane location than Windows

>>61034172
my firefox is locked to all fuck
was wondering about iridium
looks like the ublock extras blocked all webrtc though

>>61034172
This. it prevents leaking of your IP, but it doesnt block webRTC

Currently using wireshark to determine if my hosts file is really blocking it

>>61034192
test

>>61034189
>looks like the ublock extras blocked all webrtc though
it only holds a hard-coded list of rogues sites (4chan has been proudly added to that list).
It won't block all WebRTC on every site.

Iridium has already been addressed in the thread, give a look with ctrl+f

File: 1478056375694.png (151KB, 1912x1582px) Image search: [Google]

151KB, 1912x1582px

>>61034202
>>61034192
nothin

>>61034225
yea I read it, literally nothing

>>61034177
what's wrong with %windir%\system32\drivers\etc

>>61034246
lol
what's wrong with installing directX for every single gayme on a computer

>>61034230
test #2

>>61034280
test #3

>>61034257
>caring about muh gaymen
>installing dx in 2017

>>61034230
>>61034192
>Currently using wireshark to determine if my hosts file is really blocking it

Block what? The botnet has been shut down to prevent further investigation. The domain points to 127.0.0.1.

>>61034296
>not reading what I said
>thinking I'm on windows because you can't do above

sad go back to /v/ or /pol/

>>61034297
>using 127.x.x.x instead of 0.0.0.0
you're an idiot

>>61034307
whatever you say /v/ermin

>>61034297
missed that. however, chrome://webrtc-internals still shows the attempt to connect - I wanted to confirm it was a full connection. Wireshark doesnt even show the attempt to localhost or 0.0.0.0 - what I have it pointing to in hosts

>>61034138
>I asked "Are you using the street sign captcha?" to rule those out.
So, I've then replied to you both, since v1 vs v2 isn't an element to factor in with the latest uBlock additions (I did check in both firefox and chromium before posting that reply using both v1 and v2 captchas).

>>61034319
you didnt even read his post dumbass

>>61030065
>https://pastebin.com/FiWG9vN5
What does this do? It's not quite clear to me from the text in the file.

>>61034331
clearly I did.. how else would I know what ip it goes to?

>>61034319
it turns out you're the idiot here.

>>61034341
please stop embarrassing yourself. >>61031988 >>61032152 >>61032037

>>61034332
forget it, >>61032046 >>61031312

File: vout23.webm (3MB, 960x720px) Image search: [Google]

3MB, 960x720px

15KB obfuscated javascript that gets attached to every thread on 4chan, with decrypted strings: https://pastebin.com/C0Mj6vHL

>>61034328
I never wanted your answer, I wanted his answer so I can rule out that captcha.
You gave him a ">blocking 127.0.0.1"
I already know because I can post. There was no need to reply to me.

>>61034346
you got the autism comrade

Clover doesn't have this problem :^)

>>61034444
>I wanted his answer so I can rule out that captcha.
and I replied to you to assure (you and him) that the captcha version wasn't responsible for it.
I replied to him with that memearrow because he posted a tinfoil reaction image and from the look of it he performed some kind of unholy manual blocking. I've then added to your reply to anon the simple fact that v1 and v2 works perfectly and the attention shouldn't be directed to the captcha version at all, since it works with all the suggested blocking strategies expressed insofar (uBlock, disable WebRTC, hosts file)

>>61034509
Clover has lots of other problems.

>>61034509
are you sure it doesn't fetch the page and it just recreates images and posts using json?
>apps to browse a site
I'm too old for that shit

>>61034514
If you were replying to both of us you would have put both ids together and not separate.

>>61034521
Such as?

>>61034553
Clover uses the official API.

>>61034554
I've replied to you to correct your question (since the suggestion to investigate the captcha version started from you) and the other anon's got a (You) already in that post. Hopefully the way I manage my replies didn't trigger you too much. Take care.

>>61034444
>I wanted his answer so I can rule out that captcha.

It breaks the 3x3 square one, v2 as you said hasn't worked for a while, probably a combination of my addons eskansovi or not and I stopped using the street sign beginning of this year because it kept asking me to type like 7 times
I'm back to using the text typing one right now

>>61034514
>some kind of unholy manual blocking

>Blocked everything in UMatrix
>Added the domains to UMatrix's host file
>Disabled WebRTC
>Installed Chromium for discord
>Marked a norse rune of protection with my blood

It's all perfectly normal

File: 1468615865122.gif (495KB, 500x256px) Image search: [Google]

495KB, 500x256px

>>61034665
>Marked a norse rune of protection with my blood
have you tried turning it off and on again?

>>61034634
I asking him if he was using said captcha, not if the captcha was working. I already told a few posts that I already knew they work (except the noscript one). Stop assuming I was asking that.
>trigger
>the way I manage my replies didn't trigger you too much.
>>>/out/

>>61034665
>I stopped using the street sign beginning of this year because it kept asking me to type like 7 times
Same here but months ago, I don't think it was eskansovi since I completely had Javascript off. If it still worked I wouln't have to deal with this eskansovi shit since it only seems to load when javascript is enabled. But it did stop working when they added eskansovi which was around that time so they could be linked.

using ublock origin on Microsoft edge. the domain has the red bar by it which means it's blocked on some level. I had put ||ekansovi.com$domain=4chan.org in my filters and that's all. can I disable webrtc in edge?

>>61034793
the only true way is to block it in hosts

>>61034745
>Stop assuming I was asking that.
You were assuming that, see >>61034444
>I wanted his answer so I can rule out that captcha.

>I already told a few posts that I already knew they work (except the noscript one)
Quite the contrary, you were suggesting that v1 or v2 was any relevant for his issues and you never stated the opposite and you wanted his answer to rule it out. I've already address this concerns of yours.

>it only seems to load when javascript is enabled
no wonders, it's literally a js eval.

>>trigger
>redirection to different board
Take care.

>>61034793
read the thread.

>>61034832
read the thread, >>61031312

>>61034858
No you didn't because your answer had nothing to do what I wanted to know. If anyone is assuming, its you. I wanted to know if he was using that captcha not that it works

>no wonders, it's literally a js eval.
It worked with 4chan's and google's javascript disabled.

>redirection to different board
Yes, out.
.

>>61034921
>It worked with 4chan's and google's javascript disabled.
That's because its directly embedded in the page (not an eval btw) and 4chan's own js uses a <link> tag to load

>>61034921
>It worked with 4chan's and google's javascript disabled.
It's an inline eval script. If you blocked 4chan but allowed inline scripts in uBlock, it would have run. If you disable entirely 4chan's js, using uBlock or NoScript or whatever, it wouldn't have worked. You can check right now. Fire up a console and try blocking 4chan but leaving inline scripts vs blocking 4chan entirely. I seriously doubt you have used 4chan with all js (inline scripts included) disabled.

You're welcome.

>If anyone is assuming, its you.
I've quite literally quoted your words, you "wanted his answer to rule out that captcha" right after he expressed those concerns. That's not assuming on my side, there's no need to thank me for having ruled out immediately that element.

Take care.

>>61035015
It's an obfuscated eval too. It was deployed several times.

>>61034146
fuck you i didn't read this thread when i said that

File: IMPORTANT.png (6KB, 500x500px) Image search: [Google]

6KB, 500x500px

If you have uBlock Origin add this to prevent the obfuscated Javascript from running:

4chan.org##script:contains('gIlePonVjyjmEpHGmTsFPsEYyxBVkstc')

>>61035583

I just paste that line into my rules right?

>>61035721
'My filters', just add it to the bottom

Bois, it is late here, this thread is spooking me

Someone give me a quick rundown, I have never seen this ekansovi.com domain in my uBlock origin domains list

I use firefox

>>61035880
It haccs u @ night

File: 1478309736899.jpg (353KB, 971x1500px) Image search: [Google]

353KB, 971x1500px

>>61032321
I was using my pass and got a perma ban for CP or some shit. The new system doesn't let you appeal for some time so I had to go on IRC and they just told me to wait. The next morning, I woke up and the perma ban screen was gone so I guess they just recognized their mistake.

Still, 4chan mods and jannies circa 2007 were chill and approachable.

>>61034607
Being shite.

fucking hell, I'm becoming paranoic, this shit is driving me insane

>>61035583
>>61035737
useless, please read the thread.

>>61039543
Alright, enlighten me

>>61039551
just update the default uBlock Origin filters, a new rule has been added by gorhill explicitly referencing a thread made here. It injects fake CSP rules on 4chan's pages, ruling out any https, wss AND WebRTC exploit (WebRTC ***can't*** be filtered as usual with uBlock and/or uMatrix, any custom made rule didn't cover the WebRTC trick). Chrome users have also uBO-extra with "early defuse" scriptlets.
Moreover, the botnet has been taken down, the domain in OP redirects to localhost now.
In the long term disable WebRTC entirely if you're on a browser that allows you to and please read the thread.

>>61039611
Just having the uBlock Origin filter doesn't prevent 15KB of obfuscated Javascript from running you dumb cunt, it just stops the connections. The rule you replied to stops the Javascript from running

>>61039611
for reference
>https://github.com/gorhill/uBO-Extra/releases
>Added 4chan.org to upManager defuser: WebRTC is being used to escape blockers.

>https://github.com/uBlockOrigin/uAssets/commits/master
>commit "further fix https://rbt.asia/g/thread/61009719" (can't link direcly here)

>>61039645
useless, please read the thread.

>>61039677
It's not useless, it's stopping a whole bunch of Javascript you dont need from running.

>>61023630
Time to start using a VPN..

>>61039687
it's entirely useless, obfuscated code can be replaced in a whim and they have already taken off the botnet pointing to the domain in OP now that they have been caught; something you could have learned reading the thread.

>>61039704
a VPN won't solve the issue detailed in this thread.

>>61039715
I honestly didn't think I gave you enough room to misunderstand my intent but here you are to prove me wrong, I'm not angry I'm just disappointed.

So I basically have to use Firefox now?

>>61039730
VPN, and uBlock?

>>61039736
whilst you proceed in being disappointed feel free to read the thread and please pretty please with sugar on top refrain from suggesting yet another totally useless and totally circumventable custom made rule.

>>61039751
if you want to disable WebRTC entirely, you need firefox or ungoogled-chromium. Otherwise you need to rely on hard-coded lists in uBO-extra and in CSP rules injected via uBO lists. It took at least a month from the first ramblings about the domain in OP to the block enacted in the last 48 hours; during all this time any user who didn't disable WebRTC entirely was potentially affected by this domain. So, consider that hard-coded lists won't protect your from day 0.

>>61039766
VPN is pretty much unrelated; also it's formally against the rules to use a VPN to post here.

>>61039823
No it's not, you need to purchase a 4chan pass.

File: Screenshot_20170620_141316.png (110KB, 489x557px) Image search: [Google]

110KB, 489x557px

Will this work?

>>61039823
what about Vivaldi?

>>61039829
>paying a botnet-enabler in order to use a VPN that won't protect you from said botnet

>>61039839
I don't know about closed-source chromium forks (they are entirely pointless to me, and pretty pretentious too) but I'd bet my left nut that you won't be able to disable WebRTC on it.

>>61039829
I think they removed that exception. At least I don't see it on the pass page anymore.

>>61039839
>Vivaldi
Anon pls, I don't enjoy baby barfing

>>61039823
I don't have to read it, I know what's going on because I'm the one who made and read through the 360 post long thread yesterday, as well as the person who decrypted the strings, but I guess I'm wrong because some chucklefuck completely missed the point of what I was doing.
Every dumb motherfuckin' reply you make I'm donating $5 to a feminism group of your choice.

>>61039863
Personally I'd choose the todogroup so they can continue to open pull requests to your favorite projects with their code of conduct http://todogroup.org/opencodeofconduct/

or just github itself, I'm not sure there's much of a difference anymore.

File: 1487830579610.jpg (34KB, 526x526px) Image search: [Google]

34KB, 526x526px

>>61039863
>the person who decrypted
>I'm the one
come on, it can be prettified in 4 secs by an average 15 yo able to use a search engine (you don't even need to install gentoo).
It's sad to see that your clear autism is preventing you from considering the issues at hand clearly. Seek help and feel free to use a trip I can filter.

>>61039831
Sure

>>61039895
You're either impossibly stupid or a really good troll, and I'm not all that interested in replying to either anymore.

>>61039908
Take care, please avoid suggesting totally useless rules in the future.

File: You too.webm (638KB, 320x240px) Image search: [Google]

638KB, 320x240px

>>61039924

Please tldr me even though i scrolled through the whole thread i dont get the conclusion.

What do i need to do? I had this shit blocked in noscript and in ublock origin (my filters and my rules behind the scene) for a while.

Do i also need to disable whole WebRTC thing? Are there any downsides to it?

How do i disable WebRTC in firefox?

>>61040273
First you have to click on the address bar and put in palemoon.org, download that and then uninstall Firefox.

>>61040281
>furry

>>61040304
It's either a furry who knows what he's doing, or a bunch of feminists who don't, your choice.

>>61017968
>a.ekansovi.com
Thanks anon, shit listed in pi-hole.

>>61040319
Or you could use SeaMonkey

>>61040319
>tfw I switched to Pale Moon before Hiro came (non sexually)

Guys am i safe now that i updated my ublock origin? webrtc is disabled. javascript is disabled in noscript.

Now i get

xhr http://detectportal.firefox.com/success.txt

after updating filters. Dafuq is this?

I get xhr everything 4chan now after updating uBlock Origin filters. Is this normal?

File: dont panic.png (95KB, 192x279px) Image search: [Google]

95KB, 192x279px

this is some spooky stuff

File: Screenshot_20170623_070922.png (12KB, 342x285px) Image search: [Google]

12KB, 342x285px

Are these the right settings?

Vivaldifag here

>>61026830
>make artwork DA wannabe oddparents tier and just generally worse
>make outlines 3x bigger in illustrator
>no more seductive semi-femdom lola

yeah I don't like it

What is local storage and how do i clean it? Im using Firefox.

>>61040666
no, uncheck WebRTC

though to be safe I would also put in an explicit filter using whatever tool that browser has. and if you can look at a log or console to make sure it's being actively blocked. clear cache and reload the page before looking at the console.

>>61040273
it's an option in the ublock origin settings tab. should work on any FF ublock does. I would also enable all the ublock-specific 3rd party filters in that tab. and/or add a blanket filter in the my filters tab.

why is there not a thread about this on every board? it seems like a very big deal

>>61040963
I imagine they'd just get deleted for being "off topic". Is there one on /pol/?

>>61040905
alternatively, you can set it on FF yourself without using ublock by going into about:config and setting “media.peerconnection.enabled.” to false.

>>61040666
that WebRTC option is totally unrelated, you can't disable WebRTC completely on that shitty closed source piece of cancer you chose.

>>61040199
jesus, just update uBlock Origin filters, see >>61039611

NoScript blocking is ineffective.

If you are using Chromium consider uBO-extra.

Yes, disabling WebRTC would prevent similar exploits in the future.

The botnet has been shut down, any measure to address THIS domain and THIS inline script is useless. uBlock's approach will prevent similar shit happening on 4chan using different "sneaky" domains and/or different scripts. To fully prevent this kind of exploit from day 0, disable WebRTC and double check your dashboards in the future.

>>61040963
they already shut this botnet down, see >>61032152
so, sadly >>61031988
>this "incident" will now be forgotten (I wouldn't be surprised to see ekansovi completely disappear from the pages now that they've taken it off)
it may re-spawn in different ways in the future

>>61041134
>double check your dashboards in the future.
For what?
>Yes, disabling WebRTC would prevent similar exploits in the future.
I had WebRTC disabled all this time but this ekansovi shit still were doing something via websocket. Now after updating uBlock filters i no longer see any entries in the behind the scenes log. Is it because the botnet is shut down or because of updated filters? Thank you very much smart anon!

>everyone says to completely disable WebRTC in Firefox
>no one says how
Okay.

>>61041485
See >>61040281

>>61041492
Very funny.

>>61041500
you think I'm joking but I ain't laughing nigga

I have WebRTC disabled with media.peerconnection.enable (false) but i dont see a picture like in >>61024715 Do i need to change something else in about:config?

I actually had some faggot exploit my firefox through webrtc over a year ago. It was driving me crazy trying to work out how he got in. He kept dropping hints about my browser activities.

>>61041595
I'm sorry but that's fucking hilarious if I imagine you're just schizophrenic

>>61040544
Not related to this the fact that it showed up is probably a coincidence.

Some shittier wifi hotspots use a kind of reverse proxy to filter out people who don't pay them money. That request is to test if firefox is working under one of those so it can automatically configure itself to work properly with it. It's probably safe to block that unless it's a laptop that you travel with and regularly connect to unsafe wifi hotspots.

I have WebRTC disabled with media.peerconnection.enabled false. I have ekansovi blocked in noscript. I updated uBlock Origin. This is it? Am i safe now?

>>61041300
>For what?
for future suspicious domain names that may or may not pop up while your browse this cesspit

>>61041300
>i no longer see any entries in the behind the scenes log. Is it because the botnet is shut down or because of updated filters?
because of the updated filters. If you check the firefox Console (not the uBlock logger) you'll see messages about evansovi being blocked thanks to a Content Security Policy injected by uBlock itself. This way you'll pre-emptively block all that shit that used to reach the logger, PLUS the shit that didn't appear in the logger.

>>61041562
>I don't see a picture like
but you'll probably see in Console the message listed in >>61025794
also consider that >>61025893
>uBlock Origin takes precedence
>the "Content Security Policy" error will be logged if you have updated uBlock Origin's filters recently no matter if you have disabled WebRTC completely.

>>61041655
>media.peerconnection.enabled false
>updated uBlock Origin
that's all you need.

File: 1.png (3KB, 250x93px) Image search: [Google]

3KB, 250x93px

I do good boss?

>>61041738
not enough since uMatrix/uBlock can't filter WebRTC via their dashboards, but you're lucky: ekansovi.com doesn't resolve any more.

>>61041738

You were already exploited if you had not disabled WebRTC.

So, this was pretty clearly an attempt to deanonymize posters. How is this not huge?

Considering how well this went I think it's pretty likely this method will come back in the future. Definitely don't allow webRTC to run ever.

>>61041711
>but you'll probably see in Console the message listed in
Yup! I have this one.
>>uBlock Origin takes precedence
>the "Content Security Policy" error will be logged if you have updated uBlock Origin's filters recently no matter if you have disabled WebRTC completely.
Ooh, i see! Thank you very much anon. Have a good day!

>>61041751
>uMatrix/uBlock can't filter WebRTC via their dashboards

What's the XHR request in uMatrix then? Is it just unrelated to this?

>>61041769
>deanonymize posters
you are assuming that posters were anonymous in the first place. you are a dumb newfag

File: You hear the studio audience applaud!.webm (3MB, 1920x864px) Image search: [Google]

3MB, 1920x864px

>>61042045
You're too confident of an idiot for your life to work out well

>>61042108
says the guy that thought 4chan was anonymous

https://www.scribd.com/doc/35688046/Christopher-Moot-Poole-Testimony-in-Palin-Email-Trial

>>61042134
your dumb ass completely misunderstood me; I didn't say 4chan was anonymous, I said it was an attempt to deanonymize users and if you had thought about it for even a second you would have considered that maybe I meant people who were using VPNs or a decentralized anonymity network and not any random dickwad with a phone.
and for your information I've probably been on 4chan for longer than you've been transitioning into a woman :^)

>>61042204
if you weren't so fucking new you'd know that vpns and tor are banned on 4chan

there is nothing to 'deanonymize' you fucklord

>>61042225
I don't even need to try to embarrass you, you're doing a better job than I ever could.

>>61042241
out of "arguments" already?

that's just fucking sad, even for newfag cancer such as yourself

>>61041769
>an attempt to deanonymize posters
Jesus Christ, you poltards are fucking retarded.

>>61042253
You're riding off some insane assumptions that only an undeserved confidence could justify.

>>61042305
you're the retard newfag that thought anonymous posting on 4chan was possible, not me. go back to /pol/ you uneducated dullard. you are only hurting the discussion in this thread by posting your mental diarrhea

>>61042326
You're actually starting to bore me now

>>61042348
refer to >>61042253

>>61030965
I get the Firefox error. Does that mean I am in the safe zone?

>>61031358
I thought the space cowboy worked for google now.

>>61041769
>he thinks anyone is anonymous on 4chan
If this site was anonymous in any way shape or form it would have been flooded by cp and drug trades a long time ago. Are you seriously this dense?

>>61042352
>>61042443
Do I even need to explain to you how it's logistically impossible to ban every proxy, VPN, and decentralized fuckery. I'm aware that 4chan has banned a lot of proxies, VPNs, and pretty much 99% of the Tor network, I've been here probably longer than you have. Private Tor networks exist, other decentralized anonymity networks exist, personal VPNs exist. But fuck me meet me half way, I can explain it to you but I cant comprehend it for you.

>>61036745
How do you get banned for CP if you were innocent?

>>61017968
You do realize that Google already tracks everything you say and do on 4chan using reCAPTCHA, RIGHT? You are assigned a userprofile.

>>61042485
this is just getting sadder and sadder. you know what, anon? i'm starting to feel bad about this. picking on the handicapped kid just isn't very satisfying. instead, i'm going to brighten up your life a little. i'm going to be that one shining ray of light in your bleak existence.

i will let you have the last word.

so come on, let me have it. make it count. i'll gladly take it if it means you'll experience the sweet taste of victory for once in your life, and you can go to bed knowing you achieved something.

>>61042609
refer to >>61042253
:^)

>>61042443
There are still CP floods now and then. It's just not worth the effort for most people.

>>61041751
>but you're lucky: ekansovi.com doesn't resolve any more.
I have a bad feeling about this...

>>61041751
>but you're lucky: ekansovi.com doesn't resolve any more.
Anyone who didn't filter the websockets was exposed, they may have already gotten what they needed and when people started catching on they took it down to prevent further examination.

Since this thread has a lot of very smart people i want to ask here. I pinned uBlock Origin's logger in Firefox and noticed that every time i restart my broswser there is

xhr "http my ip address". What is this? This happens even when browser starts with single logger tab. Is this normal behavior?

>>61041904
ekansovi tried to phone home in more than one way

>>61042380
update your uBlock filters and check media.peerconnection.enabled in about:config

>>61031768
>latest reply to anything is nearly two years ago
I'm pretty sure submitting feedback through that page does not, in fact, work.

File: peerconnection.png (3KB, 481x92px) Image search: [Google]

3KB, 481x92px

>>61043528
>media.peerconnection.enabled
since friends don't let friends befriend botnets, suggest https://addons.mozilla.org/firefox/addon/privacy-settings/ to your normie friends and secure (at least) the media-related settings

Reminder that 4chan X user could get this error >>61030609 but it's totally bogus

>>61034246
The part where they literally copypasted the location from unix systems.

>>61043691
They actually took the entire network stack from BSD and incorporated it into windows in the early days. Winders' current network stack is custom I believe though but the hosts file remains untouched.

we need a new thread

>>61042492
I have no clue. Maybe the targeted the wrong post or IP. Anyhow, it was resolved on their end within 24 hours.

>>61023630
>Been using noscript and Ublock for like 10 years
>Still can't understand why people don't all do this
Whatever, ignorance is bliss, right up to the grave I guess.

File: sd.png (52KB, 368x969px) Image search: [Google]

52KB, 368x969px

>>61044739
>Still can't understand why people don't all do this

not everyone is autistic like you

>>61044766
>Only have to allow scripts you trust once and then they are allowed forever
>Even going on JS ridden shitpiles to begin with
And I'm sure your retardation makes someone a lot of money, congratulations.

>>61044788
>>61044766

pls tell me which sites in pic related at necessary for the slickdeals.net site to function

>>61044810
Literally the first one, which is already enabled you retard.

>>61044825
nope... the rest of the site isn't usable then. try again.

>>61044838
I'm using it right now you stupid faggot, it works fine.

Half that shit in that pic isn't even in the script list on the fucking page.

File: Untitled.jpg (78KB, 275x605px) Image search: [Google]

78KB, 275x605px

>>61044838
I made this for you since you are a fucking retard, maybe you can use it next time.

Seems like all the /g/ pedos and racists are going to jail. RIP

>>61043610
It definitely does work, I've seen people talk about their responses.
They don't list all of them on the page.