# LowEndTalk Monitoring Network.



## Munzy (Jul 25, 2016)

I have been recently looking over the http code for Lowendtalk.com.... and let me just say it is monitoring central. I think this is being done to find alt accounts / previously shady individuals. In any case, not all of us want to be monitored up the ass... so /etc/host time!


############
# My Config
############

127.0.0.1 piwik.lowend.io
127.0.0.1 tag.perfectaudience.com
127.0.0.1 intljs.rmtag.com
127.0.0.1 pixel-geo.prfct.co
127.0.0.1 secure.adnxs.com
127.0.0.1 ssl.google-analytics.com
127.0.0.1 s3.buysellads.com
127.0.0.1 www.google-analytics.com




I should note that vanilla still does a good job of monitoring, so if you come back via the same ip... they will find you.


----------



## DomainBop (Jul 25, 2016)

> let me just say it is monitoring central.



The sites are monitoring central and there are absolutely no privacy policies on the sites despite the fact that the sites are commercial sites and Velocity Servers Inc is using six 3rd party ad networks/analytics sites to monitor user activity, and it is also allowing a 3rd party contractor to monitor activity on both LowEndTalk and LowEndBox via the contractor's personal website (lowend.io), and it is allowing the hosting company ServerMania to ad stalk LowEndBox users via AdRoll.


piwik.lowend.io = web analytics site operated by 3rd party non-employee contractor of Velocity Servers Inc
tag.perfectaudience.com = ad retargeting company PerfectAudience 
intljs.rmtag.com = ad retargeting company MediaForge
pixel-geo.prfct.co = ad retargeting company PerfectAudience
secure.adnxs.com = marketing service company AppNexus
ssl.google-analytics.com = web analytics service operated by sleazy unethical company whose business plan is based on harvesting personal info
s3.buysellads.com = banner advertising service
www.google-analytics.com = web analytics service operated by sleazy unethical company whose business plan is based on harvesting personal info


It should also be pointed out again that LowEndBox is still allowing a hosting company, ServerMania Inc (a sleazy company that used a stolen database to spam databreach victims),  to monitor LowEndBox users by including ServerMania's AdRoll ad retargeting code (account QJSDIDC4UFEMBMV27GEVT4 ) on every LowEndBox.com page which is a violation of AdRoll's terms of service (see this thread: 





============


On another note, besides being monitoring central, the sites are also vulnerability central and the owner's failure to apply timely security updates to the sites is one reason I would never use any hosting service operated by ColoCrossing.  


*LowEndBox WordPress 4.4.2 : 10 vulnerabilities*


Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.


Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via the query string.


The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.


Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.


Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.


WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.


The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.


WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.


WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.


WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.


*LowEndTalk Vanilla 2.1.12p3: 5 vulnerabilities*


3 newly discovered XSS vectors;


an Insecure Direct Object Reference that allows unauthorized comment editing;


 Potential CSRF vectors , including one that could allow account hijacking; 


SQL injection vector; PDO option SQL injection risk;


insecure password reset token lengths and expiration times


----------



## wlanboy (Jul 30, 2016)

Thank you for the domain list.


They added: s.adroll.com


----------



## River (Jul 31, 2016)

I noticed this with WebHostingTalk. I don't know what their deal is, but they banned me for no reason, then I came back and made an alt with a different IP, different browser, cleared all the cookies and stuff from the site and they still caught me as an alt.


I'd be interested to hear how they did it.


----------



## Munzy (Aug 2, 2016)

River said:


> I noticed this with WebHostingTalk. I don't know what their deal is, but they banned me for no reason, then I came back and made an alt with a different IP, different browser, cleared all the cookies and stuff from the site and they still caught me as an alt.
> 
> 
> I'd be interested to hear how they did it.



Either how you posted,setup your account was a tip off, or two you used a common entrance point that they saw via analytics.


----------



## k0nsl (Aug 2, 2016)

Thank you @Munzy and @wlanboy. I've added these to my unbound blocklist: https://github.com/k0nsl/unbound-blocklist

If anyone can think of other junk sites to add for the blocklist, go ahead and submit a PR.


----------



## HN-Matt (Aug 2, 2016)

Amazingly long list, but why not just /etc/hosts it up? Slower?


----------



## k0nsl (Aug 3, 2016)

Yes, I am guessing it's faster to apply it at DNS level. I haven't compared.



HN-Matt said:


> Amazingly long list, but why not just /etc/hosts it up? Slower?


----------

