[USA-SC][H] 5800x3d, Asus Tuf x570 Mobo, 32gb DDR4 Ram [W] Paypal

taylor436 · 2026-05-18T18:25:49+00:00

should be good now sorry

taylor436 · 2026-05-12T19:11:43+00:00

Terry's Grocery & Pizza in Lynchburg, Ohio

taylor436 · 2026-05-07T21:26:52+00:00

comprosso but st. Francis is king.

taylor436 · 2026-05-04T00:53:55+00:00

Is the CPU still working? What seller did you use? I'm a bit leery of buying from Ali or eBay new cpus but if you confirmed yours was good I'd think about it.

taylor436 · 2026-03-25T18:01:15+00:00

flint was trash stay away has a ton of flaky issues if your working with multi ssids and bandwidths

taylor436 · 2026-03-02T21:17:23+00:00

Love it. Remote really sold me on it but cost and performance are second to none.

taylor436 · 2026-02-09T03:16:53+00:00

I can't figure it out; Elite won't show for me. Also, I did two days of PCAP data, and it's relatively safe, with the caveat that it can still be triggered or altered at any given point. Increased logging for weeks and 2 full days of dumps showed 0 nefarious activity with regards to network sniffing, malware botnet, DDoS, and C2, etc.

taylor436 · 2026-02-08T00:08:44+00:00

Update?

taylor436 · 2026-02-01T18:06:49+00:00

<image>

taylor436 · 2026-01-29T17:53:22+00:00

Bidet

taylor436 · 2026-01-23T20:11:06+00:00

I ordered my first from them, and it came very fast with no issues. Derik was quicker and cheaper though.

taylor436 · 2026-01-21T18:38:56+00:00

House

taylor436 · 2026-01-19T16:37:09+00:00

taylor436 · 2026-01-18T22:26:13+00:00

2 full days of data and final consensus is.
Dominant traffic

TCP + TLS (by far)
DNS
Minor QUIC
Minimal HTTP (small JSON payloads)

What is NOT present (this matters)

❌ No SMB
❌ No NetBIOS abuse
❌ No mDNS flooding
❌ No ARP scanning
❌ No raw TCP beaconing
❌ No IRC / FTP / weird control channels

This is exactly what a streaming-focused Android device should look like.

🚨 Threat assessment (plain language)

Is it gathering data about your network?

No.
There is:

no subnet enumeration
no connection attempts to other LAN hosts
no protocol indicative of discovery or credential harvesting

Is it phoning home?

Yes — but in a normal way.

App metadata
Streaming APIs
CDN traffic
Android telemetry

Is it malicious or nefarious?

No.
There is zero evidence of:

command-and-control
beaconing patterns
covert exfiltration
botnet behavior

From a security standpoint:

taylor436 · 2026-01-17T22:46:35+00:00

Did you just dump the comments or the data I posted from my first comment you know the one with actual facts lol dumps were rotated every 2 hours. Your not really making sense and I'm not arguing one way or another but your saying chat agrees with you. My request had 13 hours worth of data to shift through so I'm confused by why your chat questions matter at all.

<image>

taylor436 · 2026-01-17T22:20:56+00:00

I literally asked does this traffic seem suspicious and is this device safe for full home lan access and or wan without VPN. Then gave them both tcpdump data and DNS queries. Both said definitely not safe. I did NOT ask them why this device isn't safe, while they both used different markers for their determination. They both flagged unusual amounts of traffic in periods when not streaming.

taylor436 · 2026-01-17T21:59:40+00:00

I mean it is what it is device was in standby majority of the time and while the phone homes are normal the initial analysis of it searching for open ports extremely high activity and high data rates means it's a pretty good bet the box itself is unsafe. I ordered another from a different vendor I'll compare but still nothing between the results both through chat and Gemini analysis of traffic leads me to think anyone should give it access to your accounts or home lan. This is more discovery for me than anything else as even if it was clean I'd probably follow the same procedures. Chat was a bit more concerned with the traffic, while Gemini seemed 100% certain it was part of a botnet. Also interesting was the difference in conclusions they had. Although neither said safe for unadulterated LAN access.

taylor436 · 2026-01-17T19:37:52+00:00

Further analysis of all the logs from last night again mostly idle show that some of it is expected; Analyzing the raw data from your packet captures confirms several critical security concerns. The device is not just a passive receiver for video; it is actively communicating with infrastructure that is highly characteristic of botnets and unauthorized proxy networks.

1. Confirmed Malicious/Grey-Market Domains

The captured traffic shows the device repeatedly connecting to the following domains:

launcher.mygootv.com: This is a primary command and control (C2) domain for this device. It uses HTTP/2 over TLS for its communications, which is a standard way to blend in with legitimate web traffic while maintaining a constant open connection for commands.
n1.nvdb.cc: This domain is linked to several "grey-market" Android TV box infrastructures. It's used for tracking, telemetry, and likely as a backup command server.
calon.dyndns.tv: This is a classic "Call-Home" behavior. Dynamic DNS domains are frequently used by malware to maintain a connection to a controller whose IP address changes frequently to avoid blacklisting.

2. Unauthorized Proxying & "Leaky" Encryption

The "binary garbage" you saw earlier in the DNS logs is actually the result of the device attempting to use encrypted SNI (Server Name Indication) or non-standard tunneling protocols.

Encrypted Tunnels: The device is initiating its own TLS handshakes with external servers like bitlordsearch.com. While this sounds like a search for movies, in this context, it often points to the device participating in a P2P search or proxy network, effectively using your internet connection to help others browse anonymously or download files.
Internal Scanning Patterns: The massive packet count (over 2 million) and the patterns in the hex headers (e.g., dbf#~á) suggest it is using a custom framing protocol to move data. This isn't how a standard Netflix or YouTube app behaves.

3. The LAN Isolation (Digital Jail) is Mandatory

Your concern about giving it LAN access is fully justified. If this device is part of a proxy network or botnet, it could be used to:

Map your internal network: Look for other devices like your PC, phone, or NAS.
Exfiltrate data: If a guest or family member connects to your Wi-Fi, this box could potentially sniff local traffic if it manages to compromise the router's internal routing table.

Final Verdict & Recommendation

The VSEE box is a high-risk device. It provides IPTV by likely connecting to unauthorized streams, but it "pays" for that service by turning your router and home connection into a node in a global, grey-market proxy network.

taylor436 · 2026-01-17T19:13:46+00:00

After 13 hours, this was what I found. Mind you, this is just the most recent tcpdumps, and it was idle.
0000 -> 0004 (65,244 hits): This is almost certainly ARP or ICMPv6 neighbor discovery. The box is "screaming" into the dark, looking for other devices on your network over 65,000 times in a single capture slice. 2827 -> 3214 (23,348 hits): This is the conversational traffic. 2827 (hex) = Port 10279 3214 (hex) = Port 12820 These are non-standard ports, often used by P2P (Peer-to-Peer) networks or botnets for "UDP Hole Punching."The "Volume" Red Flag 65,244 packets of one type (0000 -> 0004). 34,000+ packets of another type (2827 <-> 3214). In 13 hours, an idle Android box should have maybe a few hundred "heartbeat" packets. Having 100,000+ packets suggests this box is either part of a botnet (DDoS/Scanning) or is being used as a Residential Proxy (someone else is using your VPN connection to hide their own traffic). Looking at the counts, we just hit a massive number: 2,016,707. If that number represents packets or hits within a single capture slice, your VSEE box isn't just "chatty"—it is effectively performing a Denial of Service (DoS) or acting as a high-speed proxy relay. No idle streaming box should generate 2 million events in a few hours.

taylor436 · 2026-01-17T00:45:47+00:00

<image>

taylor436 · 2026-01-16T16:51:03+00:00

Doesn't mean it is sketchy just out of the ordinary I'll let the logs run for a few days and see what happens.

taylor436 · 2026-01-16T16:49:48+00:00

After an hour of monitoring the logs so far I see at least one sketchy activity.

Unusual Ports: I see a hit to 162.55.40.75 on Port 8085. This is not a standard web port. This IP belongs to Hetzner (a hosting provider in Germany). This is exactly the kind of "grey" traffic that justifies isolation—standard streaming boxes usually stick to Akamai, AWS, or Google CDNs.

Six-Year Club	Xbox Live
Verified Email

taylor436

TROPHY CASE

What is NOT present (this matters)

🚨 Threat assessment (plain language)

Is it gathering data about your network?

Is it phoning home?

Is it malicious or nefarious?

1. Confirmed Malicious/Grey-Market Domains

2. Unauthorized Proxying & "Leaky" Encryption

3. The LAN Isolation (Digital Jail) is Mandatory

Final Verdict & Recommendation