Alright so do we have any updates regarding the botnet Hiro is running yet?

I recognize this pattern, these are dogecoins

My TA reveals an ascending wedge, classic pump and dump

I'd just like to interject for a moment. What you're referring to as Linux, is in fact, GNU/Linux, or as I've recently taken to calling it, GNU plus Linux. Linux is not an operating system unto itself, but rather another free component of a fully functioning GNU system made useful by the GNU corelibs, shell utilities and vital system components comprising a full OS as defined by POSIX.

Many computer users run a modified version of the GNU system every day, without realizing it. Through a peculiar turn of events, the version of GNU which is widely used today is often called "Linux", and many of its users are not aware that it is basically the GNU system, developed by the GNU Project.

There really is a Linux, and these people are using it, but it is just a part of the system they use. Linux is the kernel: the program in the system that allocates the machine's resources to the other programs that you run. The kernel is an essential part of an operating system, but useless by itself; it can only function in the context of a complete operating system. Linux is normally used in combination with the GNU operating system: the whole system is basically GNU with Linux added, or GNU/Linux. All the so-called "Linux" distributions are really distributions of GNU/Linux.

No one will get to the bottom of anything here, you’re only going to hear from angry Linux manchildren. Maybe one day Hiroshima will ban all Linux clients, nearly all the degenerate trannies *and* Sup Forums-yards swear by it.

Shitposting and FUD aside, is blocking the 3 domains and updating uBlock Origin good enough?

Updating the filters I should have said.

no one knows what kind of payload the scripts executed, could be anything from anti-adblock over a RAT with bitcoin miner all the way to ransomware. so no one can say if that's enough of not.
now is the time to wait for something bad to happen, it's too late now.

>phoneposters will still be waddling around
Tragic

what's wrong with android?

sage

ublock sometimes shows a ytimg.net or something close to that that's getting through. not getting it now, but had it on some other threads and boards
is that something that should be filtered or what? anyone else know what I'm talking about?

That's youtube.

>what is google

Did hiro or anyone else post a statement, yet? What's the purpose of these scripts?

I thought the scripts were just anti-Adblock.

there was no malware
javascript cannot download and execute anything on your windows gaming machine without leveraging a fuckhuge exploit that would be making major news
the """proof""" of ransomware was literally just some random faggot claiming it happened because of the CSS killer script with nothing else supporting his claims

fucking tech illiterates should be banned

>ytimg
>yt img
it all makes sense now

Has somebody attempted to remove every GNU utility ?
I can't wait to move there as my new base of operations and make this meme die.

BSD

I’m guessing I’m fine if running Linux?

no it's worse

Yeah, I wanted to keep the linux kernel but you are right
>Stallman be like GPL so GNU
Oh, fuck. I'd invent a GPLlike license and visit everyone who has ever written a line of code of the kernel and convert it all into the new license
Do you guys think that Stallman will have a meltdown or he will try to compile HURD?

citation needed

Linux is just a kernel. Are you running GNU or Android?

epic xD

Well, it's easy to block

As far as what it does, the code itself looks like a crypto miner that targets the GPU. An in-line script hosted on Sup Forums calls in the 3rd party domains (amgload.net, smcheck.org and piguiqproxy.com), which in turn load multiple subdomains which also run scripts.

The domains are all hosted on an IP range of what appears to be a Ukrainian shell corporation named ID Strategy LLC. ID Strategy LLC owns the IP range 185.187.80.0 - 185.187.83.255. The abuse contact email for that IP range is a @unk.net address, which is a free email address and likely bogus.

One of the sub domains that are called from the scripts (zx6s.smcheck.org) appears to keep changing if you refresh it in a browser. Likely updating which part of the crypto hash pool is being worked on and telling the workers where to pass the results (pic related). By workers I mean anyone who doesn't block these scripts. I could probably verify this in a sandbox and see GPU use spikes but I'm too lazy.

tl;dr Mook is a pretty shady dude but in the end, normies deserve it

It's an exploit designed to connect all your Sup Forums posts with your actual identity if you use the same browser to login to any account with your real name on another website.

This dasebase may be posted to wikileaks.

Can't a site only make you mine bitcoins if you have the site open in tab?

So I'm running the Sup Forums block fix script, latest 4chanX version, have filtered the 3 domains in ublock and umatrix and I'm still seeing them. Also it takes like 10 refreshes every time I open any Sup Forums page, what am I doing wrong?

I use clover so I don't get ads.

Yes, so long as it's just scripts running on the site you're visiting. The same method is used to exploit browsers and install stealth malware though and since the code is obfuscated, that possibility can't be ruled out entirely

0.0.0.0 n0-r98d2.amgload.net
0.0.0.0 n1-r98d2.amgload.net
0.0.0.0 n2-r98d2.amgload.net
0.0.0.0 n3-r98d2.amgload.net
0.0.0.0 n4-r98d2.amgload.net
0.0.0.0 kz1d.piguiqproxy.com
0.0.0.0 kz1c.piguiqproxy.com
0.0.0.0 kz6d.piguiqproxy.com
0.0.0.0 kz6c.piguiqproxy.com
0.0.0.0 kz9c.piguiqproxy.com
0.0.0.0 kz9d.piguiqproxy.com
0.0.0.0 n0-r99d2.piguiqproxy.com
0.0.0.0 n3-r99d2.piguiqproxy.com
0.0.0.0 n6-r99d2.piguiqproxy.com
0.0.0.0 n7-r99d2.piguiqproxy.com
0.0.0.0 xk1n.amgload.net
0.0.0.0 xk6n.amgload.net
0.0.0.0 xk9n.amgload.net
0.0.0.0 xk9o.amgload.net
0.0.0.0 xk1o.amgload.net
0.0.0.0 xk2o.amgload.net
0.0.0.0 xk3o.amgload.net
0.0.0.0 xk6o.amgload.net
0.0.0.0 zx6s.smcheck.org
0.0.0.0 zx1s.smcheck.org
0.0.0.0 utraffic.engine.adglare.net
0.0.0.0 n2-r99d2.piguiqproxy.com
just to be safe: 0.0.0.0 *.piguiqproxy.com

No ads here on Safari

Simply epic.

This is just since this morning btw.

so, just came back to work to hear about this bullshit?
so i got the source of the initial problem, but the css have been unfucked during the day, so what have been done?

not sure why you guys are having issues, but I use ublock origin and the site works fine those botnets are completely blocked in my browser.

That's a really good point. Fits with the name of the company here and the unique key assigned in that pic might be based on the unique finger print of the device. I wouldn't be surprised if it tries to read Windows UUID to aid in doing this.

Either way it's really, really shady and far beyond just serving ads. Considerable time went into developing it and hiding it's true purpose.

No issues here, I'm just curious what it actually does.

Legacy captcha. Join the calle side

Reposting this

Just type niggerniggernigger in every field.

dont you get banned from cloudflare for cryptominers?

Some user browsed the 3 websites in a VM, after a while he rebooted and got ransomware'd

what does Ukraine have to with the botnet?
you putinshill right wing lunatics need mental help.

You can't do that to make threads. I would have made a thread about it, but yeah.

learn to read, syka

hey stupid, the domains embedded resolve to ukranian IP addresses
tcpiputils.com/browse/domain/piguiqproxy.com
robtex.com/dns-lookup/xk1n.amgload.net

this is why people hate your shitty country lmao. enjoy your annexation

Source? I want to see the post

Why is it always filthy eastern euros? Hitler was right, they need to disappear

This.

sameshit

they're poor and this is easy, in demand money.

honestly they woudn't do it if there were no brainlets who click on this shit

there is none, this is all Sup Forums tier conspiracy nutjobs
must've accidently f12 and now think they're hackers

What?
What's this about it? I just want to make sure I don't have to install puppy Linux

Let me try and find it in the archives

rbt.asia/g/thread/63905366/#63905366
found it

I don't see amgload

What are you guys talking about

>An in-line script hosted on Sup Forums calls in the 3rd party domains
is this it? looks much longer than what others have posted, are there multiple.

I hate this shit as much as anyone else, but how are you falling for this shit so hard.

...

>tip submitted

Hiro Watch: He is still silent on twitter and the mods continue to not bother reaching out to him. Most likely they want the site to implode so they can seize control

> you can only spin a server in Ukraine if you are Ukranian

Still don't have 100% proof he's running some kind of bitcoin miner or whatever. If we can get that confirmed we can get him reported. moot needs to be reached out to also so he knows what that gook is doing

Friendly reminder that the only real fix is to disable inline scripts and install Sup Forums X.

can't be worse than hiroshimoot.

>FirefoxCP Web Content

We're not saying Russia hacked Sup Forums retard, we're saying that the server is hosted in Ukraine.

As far as hosting goes, Eastern Europe is a fucking hotbed if you want to host servers related to malware/crime.

>and install 4chanX
nope

So how do I block them without fucking the css?

>allowing RapeApe, ABIB, ALTERNATIVE, BEAM and yournamehere full control

Yeah that's part of it. I'm sure some autist somewhere is trying to figure out exactly what it does, I can't be the only one digging into it.

they already do have full control. RapeApe especially.

Ok so can we confirm what Hiro is doing is illegal? If we can then we get him reported and possibly arrested

Can you even read?
Jesus you fucking putinshills should spend some of your rubles on english classes.

Thats why we need Hiro to give the site to someone elae who will fire all the mods and replace them. God I wish Notch would grow a pair and buy out Hiro

||Sup Forums.org^$csp=connect-src https: http:
! rbt.asia/g/thread/63902030/
Sup Forums.org##script:inject(abort-current-inline-script.js, String.fromCharCode, /[0-9a-f]{40}..$/)

and

amgload.net/*
piguiqproxy.com/*
smcheck.org/*

in UBlock did the trick for me (amgload is blocked and the rest isn't even popping up anymore)

Yeah, well you can just forfeit every feature in the website if you so desire. Not sure Sup Forums even lets you post without scripts nowdays.

Still need an answer: Is this botnet Hiro is running illegal? If so he can be reported to the California authorities

Alpine. You are welcome.

no one knows what he's doing.

I don't think hiro himself even knows what he's doing.

i am using nothing but uBlock and a custom CSS.
Since over 13 years now.

You're missing the point.
piguiqproxy.com and amgload.net are on the same small Ukranian netblock as AddCPM, a Ukranian company based in Kiev that specializes in adblock defeating:

addcpm.com/en

It is a fact that the servers for piguiqproxy.com and amgload.net are in Ukraine.
If the code was hacked into Sup Forums it's hard after the mods being told that it would stay for more than 48 hours.

The virus scan results on the argon.js file are bogus because it's being run through wscript.exe (which doesn't represent anything at all) and it's generic detection on how fucking obfuscated the code is.

The final pieces of JS loaded from the Ukranian domains references Adglare and MGID, two ad providers Sup Forums uses.

There is zero evidence that there is a virus/ransomware/cryptocurrency. It's just an adblock defeat scheme.

tl;dr Just because we say that the servers are in Ukraine doesn't mean that everyone believes the owners of those servers are Ukranian/Russian as an absolute fact. HOWEVER, the fact that AddCPM is just a couple of IPs down the door in a very small netblock AND the fact that AddCPM sells a product to do exactly what's happening on Sup Forums (defeat adblockers) AND the fact that AddCPM is based in Kiev Ukraine (address listed on site) makes it likely that the servers are owned/operated by by Ukranians too.

use the fucking CODE box you nigger

Thanks mane
these worked

Interestingly, the JSON response from *.piguiqproxy.com contains code which strongly points to being ads-related, including a CSS selector to the ".adg-rects" area (the advertisment area on the bottom of the board) and code (loaded from the mgid.com domain, which belongs to MGID Inc. as registered by Oleg Shkot) to be run in hidden iframes. MGID was also in the news for providing anti-adblocker technology:
marketwired.com/press-release/mgid-launches-proprietary-anti-ad-blocking-technology-2134432.htm

This is all certainly an anti-adblock measure to ensure ads from the two other providers (content.ad and AdGlare) are shown.

He knows. He did the exact same thing on 2ch. His silence right now is damning. He knows we busted him

So the gook is doing this on purpose to net more money for himself?