>15KB of obfuscated Javascript in every thread on Sup Forums (not being loaded from a 3rd party website) >Unironically uses XOR for its string encryption >Sets up a websocket connection to a.ekansovi.com/wsp >Something to do with ice servers / stun servers.
It's just a tracking pixel and you're basically retarded.
Oliver Brown
you realize websockets and tracking pixels are two entirely different things right? e() is only 11 lines of 550.
Luke Rodriguez
So what I don't understand is that it seems to be ad related trickery to get around common adblockers, but where are the ads?
Liam Hernandez
shill
Noah Wright
I think it's trying many different methods to track you; a 1px by 1px image, an embeded js file, and a websocket, and some XHR which looks as though it sends your useragent to.
Jeremiah Rodriguez
Websocket section looks like it's sending a fingerprint in sha-256 delimited by colons.
Josiah Allen
> ekansovi Haven't seen them in a long time, last I saw something connecting to there it was just tracking
Brody Sanders
Make sure you have ekansovi.com and a.ekansovi.com blocked, gorhill apparently pushed an update that blocks them a couple of hours ago but just check to be safe
William Cruz
I've taken a look at it and it's nothing substantial.
Josiah Baker
>t.Hiro
Cooper Turner
...are you going to elaborate?
Adrian Price
>non-free javascript
Jackson Brooks
Possibly testing attack vectors. Not necessarily an attack.
Eli Nelson
>gorhill apparently pushed an update that blocks them wut
Henry Bennett
Any girls have an opinion on this?
Ayden Taylor
No need to block it. It'll make Sup Forums better.
Jaxson Cooper
uBlock Origin filter update
Aaron Moore
...
Thomas Ortiz
shill
Luis Hall
Its not listed under by umatrix.
Haven't seen it here. Maybe you're infected?
Bentley Rivera
who owns the domain?
Carter Perez
wew is he one of us?
! rbt.asia/g/thread/61009719 ! Appears related to uponit.com ||ekansovi.com^ ! Somehow, websocket requests are behind-the-scene with Firefox. Pending ! further investigation, this fixes the issue. ||Sup Forums.org^$csp=connect-src https: http:
Landon Gray
theguardian
Ryan Ross
Apparently it might only be showing up for people from certain countries. Right click > View source Search for b.u("gIlePonVjyjmEpHGmTsFPsEYyxBVkstc"); That's the class for the XOR string decryption.
Isaac Ross
Unless the key is randomly generated, in which case you'd have to search for b.u("... unless the names are randomly generated as well in which case just look for 15KB of random as fuck javascript.
Lucas Thomas
What made you come to that conclusion?
Hunter Hill
Hmm the key is there. The script is there, but its not running from a third party site.
Does that mean Sup Forums runs its own version?
Oliver Roberts
>Appears related to uponit.com There you have your question answered OP
Jose Ross
Yep
Ayden Johnson
It's a joke.
Luke Thomas
test
Brody Baker
How can i block it with Ublock?
Charles Scott
I have ABP on and I still see three little ads at the bottom of every Sup Forums page.
Mason Howard
Open the uBlock settings Go to the '3rd-party filters' tab Click on the clock icon next to 'uBlock filters' Click the 'Update now' button at the top
Jaxon Walker
it's on the front page of Sup Forums as well, not just every thread I can confirm it loads regardless of browser or addons. from different locations all around the world
those who say it does not load for them I have no idea why. But any OS, any browser, any addons (or none) on different ips and physically different computers all have it loading.
only thing I can say is those who don't have it loading have the old cached version of the javascript on Sup Forums still running
Wyatt Parker
(you can open the settings by clicking on the uBlock button and then clicking the gear icon on the far left in the gray bar at the top)
alt. click on 'domains connected' in the uBlock popup make both columns for 'ekansovi.com' solid red then save by clicking the padlock icon.
Cameron Morris
you forgot to mention ekansovi
ekans ovi
snake egg
Zachary Allen
>uponit.com >Immune to filters or blacklists Am I really going to have to start blocking ads with hosts file?
Julian Turner
They're uponit domains. End of story.
Luis Adams
>unblockable If that's related to this, and this uses websockets, then... >||*^$csp=connect-src https: http:
Bentley Baker
'Appears to be related to uponit' != 'Its uponit'
Carter Wright
||wss:// actually, probably should have tested it first.
Oliver Morris
it smells more like some elaborate scheme to catch ban evaders. hiro should just put mobile shitters in read only mode or at least increase the post timer
Connor Williams
No, it is literally uponit. Do some more investigation.
Jason Morgan
>Immune to filters or blacklists
whatever they are doing, it doesn't seem to be working. i don't see ads here or on their site
Isaiah Taylor
...
Asher Ward
>Unironically uses XOR for its string encryption
Joshua Stewart
I don't get what Miley Cyrus has to do with this :^)
Parker Reyes
That's because they're using it for tracking, not for displaying ads.
Cooper Gonzalez
yep I get this same key
USA here but blocking cross site requests
Cameron Green
Can it be blocked with noscipt? Does private browsing mode and deleting cookies and cache work?
Jeremiah Kelly
Unless you're blocking Sup Forums.org, no. Just get uBlock, or if you already have it update the uBlock filters in '3rd-party filters'
Christopher Kelly
Am I good now Sup Forums?
Blocked it everywhere I could.
Adam Long
There's two instances of b.u in the code, that's the first one.
Probably... hopefully.
Jacob Gonzalez
I just blocked it in hosts file.
Aaron Campbell
how to even take a picture of umatrix it leaves when I grab terminal to scrot it
Gavin Garcia
Hmmm, the logger is still showing it, after I had blocked it, is this just because it attempts to or is it bypassing the block?
How do I do that?
Pic related time is after I had blocked so it might still be coming through
Adam Sullivan
scrot -d [delay in seconds]
Click on the uBlock button, click the grey title bar at the top, go to the '3rd-party filters' tab, click on the clock icon next to 'uBlock filters', click on 'Update now'
Benjamin Clark
I'm not getting this domain. It's probably coming from that notorious malware 4chanx.
Brody Reyes
that's some low effort bait right there
Owen Green
what is a good logger aka what are you using?
Evan Bennett
I'm on firefux vanilla Sup Forums and see it in umatrix
Joseph Cook
I FUCKING KNEW IT
Lucas Morgan
pastebin.com/FiWG9vN5 for hosts file instructions. THIS IS FUCKING BIZARRE: Sup Forums wouldn't let me post the specific text of this pastebin link, giving me a connection error. Pic related. It lets me post normally otherwise.
Easton Sanchez
Well shit I did that and it still showing up in the logger
Also I'm visiting random Sup Forums threads to confirm it shows up as thats when it appears only so far.
Its just uBlock Origin's logger
Liam Hall
Very suspicious coincidence.
Thanks for the link user
Andrew Anderson
Trying to post the text from that pastebin through post a reply at the top instead of the little reply window gets this response from Sup Forums. My IP is obviously not blocked as I'm posting right now. What the fuck?
Thomas Hall
127.0.0.1
Isaac Davis
...
Kevin Walker
kek I just had that idea too, you beat me
Isaiah Turner
127.0.0.1 a.ekansovi.com 127.0.0.1 ekansovi.com
Ryan Ramirez
test
Liam Richardson
In advanced cookie manager there is a cookie for that website named __cfduid or some shit. Anothr user didnt see it listed in the normal cookei viewer
Alexander Long
Thats a cloudflare cookie
Jace Richardson
Why not 0.0.0.0 a.ekansovi.com 0.0.0.0 ekansovi.com
Joshua Parker
literally won't let me post this posted this though
Dominic Gomez
This is the line which returns the connection error. Fucking bizarre.
Carter Jackson
Looks like simply etc(slash)hosts returns the connection error.
Joshua Butler
I guess Im out of the loop, can you explain to me what addons I should be running and why?
I am using noscript + ublock origin. I was using noscript + adblock plus or something but I was told they are cucks now and switched.
Now Im seeing all kinds of other crazy shit and I dont even know what it does
Daniel Rodriguez
>Its just uBlock Origin's logger
Thanks
Requestpolicy blocks ekans egg completely
Jaxson Johnson
Well I did the hosts file thing but new instances of ekanshitty still show up in the logger when I click new Sup Forums threads in the catalog
Should that be possible even with hosts file solution? Is the logger also showing attempted connections or just those that get through?
Liam Adams
what tool are you using here
Jaxson Bell
rquestpolicy extension in firefox seems to stop it
those are probably attempted request that are failing, I would hope
uBlock was created by gorhill and then got taken over by a cuck uBlock Origin is gorhill's continuation for automagically blocking ads uMatrix Origin is for blocking things with way more control over what's getting blocked.
Isaiah Lopez
Wouldn't blocking ekansovi also take care of a.ekansovi?
Levi Thomas
/etc/host
Jayden Jackson
*.ekansovi.com would ekansovi.com means only ekansovi.com
Jordan Price
>*.ekansovi.com Would that or something equivalent work in hosts file?
Julian Perry
New Zealand here, string appears more than once new b.u("R3X + gIlePonVjyjmEpHGmTsFPsEYyxBVkstc") new b.u("gIlePonVjyjmEpHGmTsFPsEYyxBVkstc")
Cameron Sullivan
its just Ublock origin logger like I've said already ITT
James Wilson
probably not no
It's always two
Bentley Garcia
Those must be attempted requests. The only thing I know of capable of bypassing hosts file is M$'s telemetry.
Dominic Hall
What about *ekansovi? Would that block everything?
Alexander Rivera
Probably not, no.
Christian Diaz
shit that's neat
William Martinez
ok so it was ublock I was told not to use,
So do I want ublock + umatrix or just umatrix?
Is noscript still safe? is it redundant with umatrix? I noticed that when a site doesnt work noscript is the only thing that I need to fuck with, like its doing a better job than ublock
Asher Peterson
>attempted request that are failing
I sure hope so, I set up the hosts file exactly as it should be and checked and rechecked and yet each new Sup Forums thread I open the ekansovi shit pops up again in the logger, hopefully its just logging the attempt and not an actual connection, I wish the logger distinguished between the two
Alexander Cook
Noscript + uBlock ORIGIN + uMatrix ORIGIN if you want more control.