Fatal Exploits found on Xtream UI

[akawi11]

do not be panic

you did not explain nothing!!!!!!!
maybe he just used all channels in same time,xtreamcodes system will drop his connection on X time depending on buffer size, so you just need to check the connection time on each channel

check "live connections" on xtreamui panel and control time for his user

5000 connections for Same IP : mean he not know what doing, an correct Exploit will be used without exposed high connections on server owner

so as i say before, possible he put all channels on HLS and keep connect diconnect on channels

you need to check everything in your side before you say exploit

 

[urgodfather]

@JoAodeDeUs and @watim11 you two nailed it right on the head. Bravo guys!

 

[score22in]

You can create multiple rules through Cloudflare.
I don't believe it happened that way.
I am not saying that you are lying, but I think it is wrong how you are thinking that this has happened.
I have gone through the code all my countless times, I haven't come across leaks or injection points.

im not the first one to report this kind of attacks the only solution is to use fail2ban and receive notifications by Email because this kind of attack is a Restream overload ! you have to stay h24

@JoAodeDeUs and @watim11 you two nailed it right on the head. Bravo guys!

as an old user of xtream codes none of my users was able to open 500 connections at time from another xtream codes server if i didnt allow him max_connections 500 ... xtreal ui didnt droped his connection flow ... the guy got 500 restream restreamed on 1 hour thats what makes me crazy ????,

 

[mentos87]

If you fixed the Geo previously with the recoding you can find on here you won't have any issues. This is all open source so definitely has some bugs but you will be ok. 22b ea is decent.

22b decent? It's a mess!

 

[Uundastan]

22b decent? It's a mess!

I had the same issues you are probably having but fixed them all. NIP and CS educations helps. So yea. Pretty decent.

 

[mentos87]

I had the same issues you are probably having but fixed them all. NIP and CS educations helps. So yea. Pretty decent.

I guess you do not know what you are talking about, sorry, but coders know what i am up to

 

[Uundastan]

I know exactly what I am talking about. NIP and CS degrees. I also believe the flaws in code are intentional as they not even code but rather things to prevent every day people from using the software. Hence why a fresh install 500s after 24 hours. Works great and just fine with a few minor adjustments. Coders lol.

 

[urgodfather]

im not the first one to report this kind of attacks the only solution is to use fail2ban and receive notifications by Email because this kind of attack is a Restream overload ! you have to stay h24


as an old user of xtream codes none of my users was able to open 500 connections at time from another xtream codes server if i didnt allow him max_connections 500 ... xtreal ui didnt droped his connection flow ... the guy got 500 restream restreamed on 1 hour thats what makes me crazy ????,

Dude, you are all over the place! First you describe it as one issue then you change it to be something different.

I know exactly what I am talking about. NIP and CS degrees. I also believe the flaws in code are intentional as they not even code but rather things to prevent every day people from using the software. Hence why a fresh install 500s after 24 hours. Works great and just fine with a few minor adjustments. Coders lol.

I'm sitting here scratching my head trying to figure out where that previous post even came from LOL ?

 

[Uundastan]

Dude, you are all over the place! First you describe it as one issue then you change it to be something different.




I'm sitting here scratching my head trying to figure out where that previous post even came from LOL ?

Admittedly I think I might know what he means though. Lots of the features don't work at all. Like the auto kick after x amount of hours. Mine is set to 12 but have a stream running for 12 days and never even once was kicked. So minus the fake features that may be set for future releases it works pretty well. Personally I don't have any issues with my servers. Currently at least. Just saying. Came a long way in just 6 months. Think everyone can agree to that at least?

 

[urgodfather]

Oh I know... but this is the thing that SOOOO MANY just haven't understood. NEVER EVER EVER leave things installed just "out of the box." This is a professional enterprise industry standard. Why? Because THAT's what people look for! It's like leaving the default password as admin/admin.

Also, I can confirm that the kick-out does in fact work, but there are many variables that are easily overlooked.

 

[Uundastan]

Oh I know... but this is the thing that SOOOO MANY just haven't understood. NEVER EVER EVER leave things installed just "out of the box." This is a professional enterprise industry standard. Why? Because THAT's what people look for! It's like leaving the default password as admin/admin.

Wait. I was suppose to change the username and password? Does admin and password count? Seen a lot of the work you contribute. Many thanks. Even windows 10 has flaws. Nothing can ever be perfect. Windows XP and 7 almost were. They kill anything that is perfect. Ok. Everything is perfect. Kill it... Nulled. Obsolete. Vista and 8 were the most terrible things ever created as well imo. That is multi billion dollar company so what can one expect from open source? Works great for what it is. Can only get better. Perhaps even near perfect by R25.

 

[Uundastan]

I guess you do not know what you are talking about, sorry, but coders know what i am up to

Apologizes by the way. Just been in a bad mood. I know what you mean by nothing works or works 100% correctly yet. Reboot the Server for LBs literally does nothing. Auto install a LB. Also does nothing. Have not looked at the php scripts that would be required to do that personally so I don't even know if they are just broken code or even no code written at all. In that sense. I have no clue. Thanks for my dose of humility.

 

[Omega]

Here is my two cents...

this panel has loads of bugs, r21 has stupid bugs and r22 is the same but the issue of lines being able to go over the amount of max connections set is there but it seem if you change to mpegts lines only and not allow HLS or RTMP it helps someone what

there are some issues in the panel that allow people to get your streams without a valid password or username but I think GTA was going to fix this last I read BUT if he don’t I will give the info out to all on the 20th (giving him time to do the fix) so to stop people steeling from each other and only from the big companies!

next issue is MAGs they have a massive flaw, you can stream unlimited connections if you find a working MAC and then sniff the username and password! there is a fix I’m told but it’s in the DB and not in the panel for some unknown reason.

I have to agree somewhat that some bugs seemed to be manually added as to keep people going back to the forum as every realease had funny issues BUT now that’s stopped I think R21 with parts and some fixes of R22 is the best option for a FREE panel.

 

[hazdo]

hi mates according to this post through what u said that they used dedicated servers for that so they are like trying to flood your connection because i have that their auth failed and hence any ddos prootection service can prevent that by sampely because they use some methods because they can differ robots and bots from humain because dedicated use multiple request at short time and by founding that the request coming from the same origine so dont be afraid.
and u can block IP in the panel and in the nginx server

 

[jamess88]

my brain hurts,,,, this guy needs a plane ticket to go self quarantine and think about what he wants to tell the "coders"