UnamWebPanel
UnamWebPanel copied to clipboard
UnamSanctam
Hacked
For the 2nd time already. The same hacker. He steals workers. This is the same hacker who hacked me 2 weeks ago. The same wallet and api endpoint. 2 weeks ago I closed access to viewing php errors. I also disabled error logging. Now __UNAM_LIB/Logs errors are not recorded for me at all. But they still hacked. What to do? I saw a similar topic but didn’t understand what solution was found?
It is from a XSS attack (he doesn't actually have access to your web panel), you can find a version here that mitigates XSS: https://github.com/UnamSanctam/UnamWebPanel/issues/313#issuecomment-1882005200
As I understand it, I need to remove the old panel and install a new one? How can I get my old workers back? Do I need to save the db folder and then return it to the new panel?
Yes just replace all the files (remove them first and then place the new ones there). If you have a fresh database then all your miners will appear again the next time they connect, or you can use your old database (db/unamwebpanel.db) by saving it and then overwriting your new web panel db file with your old one (this will work as long as the XSS attack isn't in the hashrate history portion, but you can remove the XSS attack miner entry if so).
I'm uploading a new panel to my server and now I can't login. Incorrect password. Although I changed the password 10 times and tried to log in. What could be the reason?
Make sure the password set in the config.php is correct, and make sure you don't have caps lock or anything like that enabled when you're entering the password on the login page. You can also try copy-pasting the password from the config and see if it works. The web panel version has been tested and should work fine.
I've done everything. I completely removed the old panel and uploaded a new panel to the server. I replaced only unamwebpanel.db from the old panel. Is everything correct?
What are the 2 files? from also transfer from the old panel to the new one?
Yes that should be correct, the two files are the write-ahead log and the index of the write-ahead log, they are used to make sure that the database does not get corrupted, you should copy all of those to your new web panel. Then when you log into the web panel remove the malicious miner entry that was added, it should be easily identifiable since it has nearly no data.
"remove the malicious miner entry that was added" - I didn't understand what it was. Can you show me a screenshot of what it is so I can delete it? I just don't understand well
When you log into your web panel one of your miners there should almost have no information in it, that should be the "miner" entry with the attack in it. Or if it's a more sophisticated entry then it might have some information, in which case remove one that you don't recognize (maybe the latest one).
And also, all miners no matter what was changed will return to your configuration and web panel on their next restart.
@
Is this what you meant? Is there only one such record or do we need to search for them all?
Yes that is correct, you can see the script injection there, there might only be one or they could have contacted your web panel with more fake miner connections. You can try searching for script and see if any others appear.
