LowEndTalk Monitoring Network.

Discussion in 'The Pub (Off topic discussion)' started by Munzy, Jul 25, 2016.

  1. Munzy

    Munzy Active Member

    432
    205
    Aug 13, 2014
    I have been recently looking over the http code for Lowendtalk.com.... and let me just say it is monitoring central. I think this is being done to find alt accounts / previously shady individuals. In any case, not all of us want to be monitored up the ass... so /etc/host time!


    ############
    # My Config
    ############

    127.0.0.1 piwik.lowend.io
    127.0.0.1 tag.perfectaudience.com
    127.0.0.1 intljs.rmtag.com
    127.0.0.1 pixel-geo.prfct.co
    127.0.0.1 secure.adnxs.com
    127.0.0.1 ssl.google-analytics.com
    127.0.0.1 s3.buysellads.com
    127.0.0.1 www.google-analytics.com




    I should note that vanilla still does a good job of monitoring, so if you come back via the same ip... they will find you.
     
    DomainBop likes this.
  2. DomainBop

    DomainBop Dormant VPSB Pathogen

    2,258
    2,187
    Oct 11, 2013
    The sites are monitoring central and there are absolutely no privacy policies on the sites despite the fact that the sites are commercial sites and Velocity Servers Inc is using six 3rd party ad networks/analytics sites to monitor user activity, and it is also allowing a 3rd party contractor to monitor activity on both LowEndTalk and LowEndBox via the contractor's personal website (lowend.io), and it is allowing the hosting company ServerMania to ad stalk LowEndBox users via AdRoll.


    piwik.lowend.io = web analytics site operated by 3rd party non-employee contractor of Velocity Servers Inc
    tag.perfectaudience.com = ad retargeting company PerfectAudience 
    intljs.rmtag.com = ad retargeting company MediaForge
    pixel-geo.prfct.co = ad retargeting company PerfectAudience
    secure.adnxs.com = marketing service company AppNexus
    ssl.google-analytics.com = web analytics service operated by sleazy unethical company whose business plan is based on harvesting personal info
    s3.buysellads.com = banner advertising service
    www.google-analytics.com = web analytics service operated by sleazy unethical company whose business plan is based on harvesting personal info


    It should also be pointed out again that LowEndBox is still allowing a hosting company, ServerMania Inc (a sleazy company that used a stolen database to spam databreach victims),  to monitor LowEndBox users by including ServerMania's AdRoll ad retargeting code (account QJSDIDC4UFEMBMV27GEVT4 ) on every LowEndBox.com page which is a violation of AdRoll's terms of service (see this thread:





    ============


    On another note, besides being monitoring central, the sites are also vulnerability central and the owner's failure to apply timely security updates to the sites is one reason I would never use any hosting service operated by ColoCrossing.  


    LowEndBox WordPress 4.4.2 : 10 vulnerabilities


    Cross-site scripting (XSS) vulnerability in plupload.flash.swf in Plupload before 2.1.9, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via a Same-Origin Method Execution (SOME) attack.


    Cross-site scripting (XSS) vulnerability in flash/FlashMediaElement.as in MediaElement.js before 2.21.0, as used in WordPress before 4.5.2, allows remote attackers to inject arbitrary web script or HTML via the query string.


    The customizer in WordPress before 4.5.3 allows remote attackers to bypass intended redirection restrictions via unspecified vectors.


    Cross-site scripting (XSS) vulnerability in the column_title function in wp-admin/includes/class-wp-media-list-table.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5834.


    Cross-site scripting (XSS) vulnerability in the wp_get_attachment_link function in wp-includes/post-template.php in WordPress before 4.5.3 allows remote attackers to inject arbitrary web script or HTML via a crafted attachment name, a different vulnerability than CVE-2016-5833.


    WordPress before 4.5.3 allows remote attackers to obtain sensitive revision-history information by leveraging the ability to read a post, related to wp-admin/includes/ajax-actions.php and wp-admin/revision.php.


    The oEmbed protocol implementation in WordPress before 4.5.3 allows remote attackers to cause a denial of service via unspecified vectors.


    WordPress before 4.5.3 allows remote attackers to bypass intended access restrictions and remove a category attribute from a post via unspecified vectors.


    WordPress before 4.5.3 allows remote attackers to bypass intended password-change restrictions by leveraging knowledge of a cookie.


    WordPress before 4.5.3 allows remote attackers to bypass the sanitize_file_name protection mechanism via unspecified vectors.


    LowEndTalk Vanilla 2.1.12p3: 5 vulnerabilities


    3 newly discovered XSS vectors;


    an Insecure Direct Object Reference that allows unauthorized comment editing;


     Potential CSRF vectors , including one that could allow account hijacking; 


    SQL injection vector; PDO option SQL injection risk;


    insecure password reset token lengths and expiration times
     
    Last edited by a moderator: Jul 25, 2016
    MannDude likes this.
  3. wlanboy

    wlanboy Content Contributer

    2,125
    1,169
    May 16, 2013
    Thank you for the domain list.


    They added: s.adroll.com
     
    Last edited by a moderator: Jul 30, 2016
  4. River

    River New Member Verified Provider

    70
    17
    May 3, 2015
    I noticed this with WebHostingTalk. I don't know what their deal is, but they banned me for no reason, then I came back and made an alt with a different IP, different browser, cleared all the cookies and stuff from the site and they still caught me as an alt.


    I'd be interested to hear how they did it.
     
  5. Munzy

    Munzy Active Member

    432
    205
    Aug 13, 2014
    Either how you posted,setup your account was a tip off, or two you used a common entrance point that they saw via analytics.
     
  6. k0nsl

    k0nsl Bad Goy

    441
    191
    Dec 15, 2013
    Thank you @Munzy and @wlanboy. I've added these to my unbound blocklist: https://github.com/k0nsl/unbound-blocklist

    If anyone can think of other junk sites to add for the blocklist, go ahead and submit a PR.
     
  7. HN-Matt

    HN-Matt New Member Verified Provider

    611
    170
    Dec 19, 2013
    Amazingly long list, but why not just /etc/hosts it up? Slower?
     
  8. k0nsl

    k0nsl Bad Goy

    441
    191
    Dec 15, 2013
    Yes, I am guessing it's faster to apply it at DNS level. I haven't compared.

     
    Last edited by a moderator: Aug 3, 2016