My Xtream UI Panel Hacked

[KeMo]

xtream codes v3= xtream creed
attack on many servers today to enforce us to convert to the new panel

 

[makeitso]

Just follow GTA and the details he gives on security and updates ,

 

[Delta19]

Just follow GTA and the details he gives on security and updates ,

oke and wich one they are many !!!

 

[FunkyMonkey99]

xtream codes v3= xtream creed
attack on many servers today to enforce us to convert to the new panel

Theres alot more panels to choose from other than streamcreed very much doubt they had anything to do with it with all the bad publicity they are getting for being accused of the hack ...

 

[cwirawan]

Because they have no life lol

exactly, no life indeed

 

[artiste20077]

Oh my god ! man secure your server

 

[GoldSuq]

Basically the hack that happened is linked to a previous vulnerability available in older version of Xtream UI.
People who had a fresh install of Xtream UI 22F have not been hacked.
If you have upgraded from any prior version you have open vulnerabilities on your platform. Nonethless you must have secured your server regardless

 

[zeri]

I have cleaned my servers in the following way,

first i removed /bin/bash from /etc/passwd on xtreamcodes user (/bin/false should be there)

I removed the phpfpm php file and created a new file with same name and chattr +ia it

same I did for start_services and /tmp/ui.php

then I have removed the admin folder and put the latest version on the box

for now it looks ok

I havent formatted my machines

 

[GoldSuq]

I have cleaned my servers in the following way,

first i removed /bin/bash from /etc/passwd on xtreamcodes user (/bin/false should be there)

I removed the phpfpm php file and created a new file with same name and chattr +ia it

same I did for start_services and /tmp/ui.php

then I have removed the admin folder and put the latest version on the box

for now it looks ok

I havent formatted my machines

Unfortunately the vulnerability is in the core of Xtream UI.
I would suggest you make a backup and reinstall fully Main server and the LB's - I am pretty sure you missed a ton of files.
So far the hacker exploited the following vulnerabilities :
- Italian.php
- Xtramcodes having /bin/bash as a shell
-a newer copy of the bot in /tmp/ui.php
-an entry with xtreamcodes in /etc/sudoers that allows unlimited access
-the start_servces.sh modifications
-the botnet being run as fastcgi.php
-xtreamcodes having a password set in /etc/shadow

so yeah fresh install... no fixing

 

[nuraghi015]

 

[makeitso]

Why post with no wording or explanation

 

[nuraghi015]

Why post with no wording or explanation

I just found it like this ?

 

[Specks1875]

Anyone translated it yet?

 

[nuraghi015]

Anyone translated it yet?

We as G.P.I. claim the attacks on different panels. We managed to hack not only Xtream UI but also other panels. We do this because there is unfairness in the IPTV Buisness. There are big players who think they rule the world. We ensure that your panels and the panels of your users become unusable. The world has no borders let alone the digital world. We will take you down one by one until this game is played fair again. We are a legion, we do not forgive and we do not forget.

 

[gezgin3435]

I wonder if the attacks continue

 

[bandookk]

Big question was your install the official repo

yes official

 

[Elite]

EASY WAY TO PROTECT X UI

buy a domain
add it to Cloudflare and turn cloudflare ON ( orange cloud )
Create a dns point to your main IP ex: cmsx123.domain.tdl ( something only you know)

on your nginx conf

server {
        listen 8447 ssl;ssl_certificate server.crt;ssl_certificate_key server.key; ssl_protocols SSLv3 TLSv1.1 TLSv1.2; #use ssl port 2053, 2083,2097,8447
        index index.php index.html index.htm;
        root /home/xtreamcodes/iptv_xtream_codes/admin/;

        server_name YOURDNS;

        if ($host != "YOURDNS") {
          return 404;
         }

        location ~ \.php$ {
            limit_req zone=one burst=8;
            try_files $uri =404;
            fastcgi_index index.php;
            fastcgi_pass php;
            include fastcgi_params;
            fastcgi_buffering on;
            fastcgi_buffers 96 32k;
            fastcgi_buffer_size 32k;
            fastcgi_max_temp_file_size 0;
            fastcgi_keep_conn on;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param SCRIPT_NAME $fastcgi_script_name;
        }
    }

your x ui will only open ( works ) if they know the DNS you used.
you can also add some rules do Cloudflare to increase your protection

its not solve all the problems but will help.

 

[obscuremind]

So much talk and no one said anything that could solve the problem for good.
Don't use default ports. That's the first thing with security.
Ssh default port its 22. Change it to a 4 or 5 digit random.
They can find it with a scanner but it will make things harder.
Change default panel ports.
Common used ports are easy to find and use to attack.
To make things harder block Ssh for the server. Make it usable only on a VPN session. Or only to or ip. Block everything else on Ssh port to your ip. That's it. These are the "fixes" that I recommend.

 

[chris]

So much talk and no one said anything that could solve the problem for good.
Don't use default ports. That's the first thing with security.
Ssh default port its 22. Change it to a 4 or 5 digit random.
They can find it with a scanner but it will make things harder.
Change default panel ports.
Common used ports are easy to find and use to attack.
To make things harder block Ssh for the server. Make it usable only on a VPN session. Or only to or ip. Block everything else on Ssh port to your ip. That's it. These are the "fixes" that I recommend.

no one said how attacker put files inside server
and also some guys have servers in private network also get hacked

 

[obscuremind]

The attacker uploads files through the xtreamcodes user.
Private network isn't a closed network.