🚩🚩🚩🚩🚩🚩🚩🚩🚩Again SECURITY BREACH THE SAME GUY HACKING PANELS XSS URGENT🚩🚩🚩🚩🚩🚩🚩🚩🚩

[gabjohn3]

Unam please look at this the same guy hacked again panels and its getting a XSS ATTACK PLEASE CHECK

THIS IS the miner emulating connection

[UnamSanctam]

Please post the database (or send it to unams@protonmail.com), might've missed some escape in the formatting section since I'm not able to test it at the moment.

[gabjohn3]

Sending right now, for now im seeing some logs on unam lib

[UnamSanctam]

this is honestly getting out of hand dude theres so many security issues and they've been happening for months when is this finally going to end? webpanels have been hacked many times now.

There is only the XSS issue that has been reported, except for those that weren't clearing their error logs. If you have any other issues please report them. I can't fix something that I have not been made aware of.

[gabjohn3]

I send You the DB AND THE error files Unam please check it

[UnamSanctam]

I send You the DB AND THE error files Unam please check it

Aha, the sneaky bastard put the XSS script inside the hashrate reporting.

[gabjohn3]

u see ? i send u :D

[UnamSanctam]

u see ? i send u :D

Yes I saw it, it seems like he started putting the script inside the hashrate reporting now. Here's an updated one that does sensitization on every input, please check if it works correctly since sadly I cannot test at the moment: UnamWebPanel.zip

[gabjohn3]

testing right now

[gabjohn3]

[gabjohn3]

I checked that i put the whole folder and set the correct permission also i reboot the apache server and delete old session and still that error :/

[UnamSanctam]

Can you post the database if it's not empty? I'm currently doing this all (responding and coding) on my phone so it's hard to test it myself.

[gabjohn3]

give me a sec i delete the whole project and rebuilding again bro give me a sec

[gabjohn3]

olkay i reinstalled and now is up and running, lets see if is hacked again bro im watching :D

[gabjohn3]

Okay for now its working great changed password and deleting old session hope this help to prevent future hackings unam, thanks for ur FAST Response i really apreciate it :)

[UnamSanctam]

Okay for now its working great changed password and deleting old session hope this help to prevent future hackings unam, thanks for ur FAST Response i really apreciate it :)

Alright great, thanks for the fast report and testing.

[gabjohn3]

Be aware that they still trying to gain access to panels now a new IP Appears

[UnamSanctam]

Yes they will probably still try different ways of doing so, though none of it shouldn't work anymore.

[seition2doc]

2mhs was gone and I downloaded and installed the panel again but it was still gone :(

[UnamSanctam]

2mhs was gone and I downloaded and installed the panel again but it was still gone :(

All miners will always return to their original configuration on their next restart, so on their next restart they should reappear.

[masterjek]

I deleted the worker that he connected to me and after deletion, the versions of the workers stopped being displayed in the web panel. I had to delete the old database again and download a new one.

[UnamSanctam]

Please send your database here or to unams@protonmail.com, it's possible that I might need to set ENT_QUOTES and 'UTF-8' as well for the sanitation if they are using that as a workaround.

[UnamSanctam]

dude ill do it but this is the 3rd day in a row of this happening, and dude obviously cant be that smart hes fucking mining xmr and not zeph hes not even stealing the gpu workers too.

Yes XSS attacks are pretty simple to execute, especially nowadays with ChatGPT and others, currently I'm working on the next version which is a rewrite of most of the code while also working on a lot of real life work. Here's the latest hotfixed version for the current version at least: UnamWebPanel.zip, though I can't know what they did for your panel without seeing the database entry.

[UnamSanctam]

Alright, try with the latest version I sent in the previous message, looks like he might actually be doing it since ENT_QUOTES wasn't set previously (the previous one I had to code on my phone).

[UnamSanctam]

The one I just posted, the previous one I had to code on my phone since I didn't have a computer so I missed escaping single quotes (') by explicitly setting ENT_QUOTES, which is what I believe he's using to attack now.

[JiKuytja]

He stole all the workers, the panel better not be used.

[seition2doc]

If I connect my mine to the panel, it immediately goes offline and does not come on again.

[UnamSanctam]

what causes this?

Maybe because it double escapes? I'm currently in a meeting but I'll try to test it. And if the people sending death threats to my email are reading this then please stop, it makes it harder to help with all the messages.

[masterjek]

The one I just posted, the previous one I had to code on my phone since I didn't have a computer so I missed escaping single quotes (') by explicitly setting ENT_QUOTES, which is what I believe he's using to attack now.

It doesn’t steal workers from me and doesn’t change the configuration of workers. It just disables some functions of the web panel for me and that’s all, but the workers work on my configuration.

[UnamSanctam]

and the version unam sent me after the 3rd apparent fix not even working

Seems like only the full row output for formatting wasn't working, the one I asked to test the panel didn't notice since theirs were on "Starting" (which has priority over the full row output calculation), try this one: UnamWebPanel.zip, I'm in a meeting at work and the person I asked to test for me is doing it quite slowly so please tell me if there's anything wrong.

[gabjohn3]

another hacking? dammn the hacker are busy dammn updating right now

[masterjek]

а версия, отправленная мне unam после третьего очевидного исправления, даже не работает

Похоже, что не работал только вывод полной строки для форматирования, тот, кого я попросил протестировать панель, не заметил этого, поскольку у них был режим «Начало» (который имеет приоритет над вычислением вывода полной строки), попробуйте это: UnamWebPanel .zip , я на совещании на работе, и человек, которого я попросил протестировать за меня, делает это довольно медленно, поэтому, пожалуйста, сообщите мне, если что-то не так.

This version works for 2 hours, there were no hacks, I don’t see any suspicious workers either.

[masterjek]

This worker appeared. I haven't tried deleting it, but it doesn't seem to do anything other than just display. The web panel continues to work fine.

[VK-VZ]

I got them too. 6 items. And they are not deleted.

[VK-VZ]

It's not nice to see this in a panel. I wonder how this hacker found all the panels?

[UnamSanctam]

I got them too. 6 items. And they are not deleted.

Yes it doesn't delete them, but since you can see the script text then they were mitigated correctly and are thus harmless.

It's not nice to see this in a panel. I wonder how this hacker found all the panels?

Anyone can send fake miner connection if the know the address (since there's no way to verify legitimate miners), though I'm not sure how they found yours. Do you have your web panel in a subfolder? Normally the robots.txt should prevent any search engine indexing.

[VK-VZ]

There are no subfolders. Domain only. But he found almost everyone who used the panel. But he used some kind of trick.

[UnamSanctam]

There are no subfolders. Domain only. But he found almost everyone who used the panel. But he used some kind of trick.

Yes there's some trick, though he didn't find a lot of people it seems, since he never even got 1 MH/s as far as I know. And there are tons of people that single handedly have over 1 MH/s, with the largest miner I know of having around 80 MH/s (RandomX) last I heard from him. So only a few ones got hacked, but I'm not sure what's in common between them.

[masterjek]

Да, есть какая-то хитрость, правда он вроде не много людей нашел, так как насколько я знаю у него никогда не было даже 1 MH/s. И есть множество людей, которые в одиночку имеют скорость более 1 MH/s, причем у самого крупного известного мне майнера скорость около 80 MH/s (RandomX), о которой я слышал в последний раз. Так что взломали лишь несколько из них, но я не уверен, что между ними общего.

I'll share my experience. All my web panels were previously found using an antivirus. I even found discussions on antivirus forums where I saw the address of my web panel. It was for this reason that where I had not previously transferred the web panel, it was blocked on both hosting and VPS servers, since antivirus software wrote to the company providing the hosting or VPS server with a claim that they were spreading a virus and blocked everything for me. The antivirus writes everything in detail: access to an unsafe resource and the address of the web panel were blocked. I checked even with the rootkit installed and running, the antivirus still sees the connection between the miner and the web panel and shows it. Therefore, it is quite easy to calculate the addresses of web panels with only one antivirus.

[UnamSanctam]

I'll share my experience. All my web panels were previously found using an antivirus. I even found discussions on antivirus forums where I saw the address of my web panel. It was for this reason that where I had not previously transferred the web panel, it was blocked on both hosting and VPS servers, since antivirus software wrote to the company providing the hosting or VPS server with a claim that they were spreading a virus and blocked everything for me. The antivirus writes everything in detail: access to an unsafe resource and the address of the web panel were blocked. I checked even with the rootkit installed and running, the antivirus still sees the connection between the miner and the web panel and shows it. Therefore, it is quite easy to calculate the addresses of web panels with only one antivirus.

Yes that is true, since you can always sniff the traffic (that's unavoidable, only way around that is going through a VPN or proxy). But I don't know if many of those attacked have a lot of miners, so for those with many miners their addresses might be found online since there's many chances for their traffic to be sniffed but for those with only a few miners it doesn't seem like their addresses should be known. But as you say it's possible that they used some sort of list of sniffed addresses by antivirus and malware "experts" to attack.

[UnamSanctam]

they can find the web panels through sites and no robots.txt does not prevent it, i have seen myself and found over 650 results its mostly due to your watermark with unam in it

Watermark? Do you mean the favicon?

[VK-VZ]

they can find the web panels through sites and no robots.txt does not prevent it, i have seen myself and found over 650 results its mostly due to your watermark with unam in it

How did you find 650 results? Can you tell me, I want to see if my sites are there.

[gabjohn3]

they can find the web panels through sites and no robots.txt does not prevent it, i have seen myself and found over 650 results its mostly due to your watermark with unam in it

How did you find 650 results? Can you tell me, I want to see if my sites are there.

its easy buddy i suposse they make a simple python script to dork panels maybe

[gabjohn3]

hi @UnamSanctam MR hacker still trying to mess with panels please look at this

[UnamSanctam]

hi @UnamSanctam MR hacker still trying to mess with panels please look at this

Yes he tried that one before as well, he will probably continue trying since he has a monetary incentive to do so (getting your miners) but will most likely eventually give up. But it's a good sign that none of the attacks since the last update have worked so far.

[kqxmii]

@gabjohn3, if possible, could you tell me how to setup a web panel for this? im extremely confused as to how to do this

[gabjohn3]

@gabjohn3, if possible, could you tell me how to setup a web panel for this? im extremely confused as to how to do this

Sure i could but not 4 free buddy time is money :D

[kqxmii]

nevermind, i made one. quick question though, what algorithms/currencies are you mining?