Complete reference for XUI Auditor — security checks, scan levels, editions, exports, and version history.
XUI Auditor is a desktop security auditing tool designed for IPTV panels, supporting Xtream UI and XUI.ONE (AIOPLUS/Proxi) with full 24-check audits. It runs 24 automated security checks covering credentials, network, server configuration, database exposure, and panel integrity — providing actionable remediation steps for each finding.
XUI Auditor runs 24 security checks divided into two groups: 7 Basic checks (API-only) and 17 Deep checks (SSH + MySQL).
These checks only require the panel URL and admin credentials. No SSH access needed.
| ID | Check Name | Severity | Category | Fixable | Description |
|---|---|---|---|---|---|
CHK-001 |
Default Credentials | Critical | Credentials | Yes * | Checks if the admin panel still uses default credentials (admin/admin). |
CHK-002 |
Default Admin Port | Medium | Network | No | Checks if the admin panel runs on a well-known default port (8080, 80, etc.). |
CHK-007 |
HTTPS Disabled | High | TLS | No | Checks if the panel uses HTTPS to encrypt traffic. Note: most IPTV players do not support HTTPS. |
CHK-008 |
SSL Certificate Expiry | Critical | Certificate | No | Checks the SSL certificate expiration date. |
CHK-009 |
Expired Users Active | Medium | Clients | No | Finds user accounts past their expiration date that are still active. |
CHK-010 |
Restreamers Detected | High | IPTV | No | Detects users with the restreamer flag, who can redistribute content. |
CHK-014 |
Unlimited Connections | Low | Clients | No | Finds users with unlimited simultaneous connections (max_connections=0). |
* Auto-fix note: CHK-001 auto-fix requires SSH access (deep scan) to update the database directly, since the Xtream UI API does not expose password change functionality.
These checks read the panel's database settings directly via SSH. They detect configuration weaknesses not visible through the API.
| ID | Check Name | Severity | Category | Fixable | Description |
|---|---|---|---|---|---|
CHK-003 |
Admin IP Whitelist Missing | High | Firewall | Yes | Checks if admin access is restricted to specific IP addresses. |
CHK-004 |
API IP Whitelist Missing | High | Firewall | Yes | Checks if the API is restricted to specific IP addresses. |
CHK-005 |
Flood Protection Disabled | Medium | Firewall | Yes | Checks if brute-force protection (flood limit) is enabled. |
CHK-006 |
2FA Disabled | High | Credentials | No | Checks if two-factor authentication is enabled for admin logins. |
CHK-011 |
No Auto-Backup | Medium | Configuration | Yes | Checks if automatic database backups are enabled. |
CHK-012 |
Default Streaming Password | Critical | IPTV | No | Checks if the live streaming password is empty or a known default. |
CHK-013 |
Empty User-Agent Block | Low | Configuration | Yes | Checks if the panel blocks connections with empty User-Agent headers. |
These checks audit the server itself via SSH commands — ports, firewall, processes, file permissions, and more.
| ID | Check Name | Severity | Category | Fixable | Description |
|---|---|---|---|---|---|
CHK-101 |
Open Ports Exposed | High | Network | Partial | Scans the server for open ports that should not be publicly exposed (MySQL, Redis, etc.). |
CHK-102 |
Firewall Rules Missing | High | Firewall | No | Checks if a firewall (iptables/ufw) is properly configured. |
CHK-103 |
Brute Force Attempts | Critical | Credentials | Partial | Counts failed SSH login attempts to detect ongoing brute-force attacks. |
CHK-104 |
Suspicious Processes | High | Server | No | Looks for suspicious processes running on the server (miners, reverse shells, etc.). |
CHK-105 |
Cron Jobs Audit | High | Server | No | Audits cron jobs for unauthorized or malicious scheduled tasks. |
CHK-106 |
File Permissions | High | Server | Yes | Checks file permissions on critical config files (should be 600 or more restrictive). |
CHK-107 |
MySQL Exposed Externally | Critical | Database | Partial | Checks if MySQL is exposed to the internet instead of bound to localhost only. |
CHK-108 |
SSH Config Risky | High | Server | No | Checks sshd_config for risky settings (root login enabled, password auth, etc.). |
CHK-109 |
Disk & Logs Monitoring | Medium | Server | No | Monitors disk usage and checks for excessively large log files (>90% usage). |
CHK-110 |
Backdoor Detection | Critical | IPTV | No | Scans panel PHP files for common backdoor patterns (eval/base64_decode injections). |
Severity levels: Critical = Immediate action required. High = Fix soon. Medium = Fix when possible. Low = Good practice.
XUI Auditor offers two scan levels depending on the access you have to the panel server.
7 checks • ~10-30 seconds
24 checks • ~2-5 minutes
How to enable Deep Scan: When adding a panel, fill in the SSH section (host, port, username, password). If SSH credentials are configured, the "Deep" scan level becomes available. SSH credentials are encrypted locally and never transmitted.
Pre-scan connection test: Starting from v0.3.0, XUI Auditor automatically verifies the connection to your panel before starting a scan. If the panel is unreachable or credentials are invalid, the scan button stays disabled and a clear error message is shown — preventing wasted time and false results.
Both editions run the exact same 24-check scan engine. The difference is in what you see after the scan.
Free • No registration required
One-time purchase • Lifetime license
After a scan, export the results in multiple formats for documentation, compliance, or sharing with your team. (Full edition only)
Machine-readable format. Contains all scan metadata, summary by severity, and the full list of issues with details. Ideal for integration with other tools or automated processing.
Standalone HTML file with a dark theme, styled for readability. Includes the severity summary, issue table, and remediation steps. Can be opened in any browser — no server needed.
Professional print-ready report. Same content as the HTML version but formatted for paper. Ideal for compliance documentation or sharing with management.
Summary of releases and major changes in each version.
| Version | Date | Highlights |
|---|---|---|
v0.4.1 |
2026-02-24 | Internal security improvements to the licensing and edition validation subsystem. Enhanced cryptographic primitives, strengthened runtime integrity checks, and improved hardware fingerprinting accuracy. |
v0.4.0 |
2026-02-23 | Safe fix system: pre-fix server snapshots (mysqldump/iptables-save), post-fix health checks (SSH + MySQL verification), auto-rollback for dangerous fixes (CHK-107). Fix rollback UI — restore from server snapshot with one click. XUI.ONE fix support (MySQL credential discovery). IPv4/IPv6 port deduplication fix (CHK-101). |
v0.3.0 |
2026-02-22 | Full XUI.ONE panel support (auto-detection, 24-check audit via SSH+MySQL, auto-fixes). Pre-scan connection verification. Fixed scan progress showing 100% on failed scans. Improved error handling for unreachable panels. |
v0.2.1 |
2026-02-21 | Technical documentation page. Semver-based release protocol. Build versioning improvements. |
v0.2.0 |
2026-01-15 | Complete pivot to Xtream UI (IPTV). 24 security checks (7 basic + 17 deep). SSH deep scan engine. Auto-fixes via MySQL over SSH. License system with machine ID binding. PayPal payment integration. Landing page with email-gated demo download. PDF/HTML/JSON report exports. Standalone Windows .exe via PyInstaller. |
v0.1.0 |
2025-12-01 | Initial release. Foundation + scanner engine. React frontend with Ant Design. FastAPI backend. Support for 3x-ui/x-ui proxy panels (later removed). Basic check framework. Welcome wizard and i18n (EN/ES). |
To check which version of XUI Auditor you have installed:
Staying up to date: Compare your installed version with the latest version shown on the download page. If a newer version is available, download the latest ZIP, extract it, and replace the old .exe file. Your data (panels, scan history, license) is stored separately and will be preserved.
XUI Auditor runs entirely on your local machine. It is a standalone desktop application — there is no cloud server, no account registration, and no telemetry. All scan results, panel credentials, and reports stay on your computer.
Panel credentials (admin password, SSH password) are encrypted using AES encryption before being stored in the local database. They are only decrypted in memory when needed for a scan, and are never written to logs or transmitted externally.
The only outbound network connections XUI Auditor makes are:
No other network connections are made. No data is sent to us or any third party.
Scans are read-only operations — they inspect configuration without making changes. The tool only modifies your panel when you explicitly click "Apply Fix" on a specific issue (Full edition only). Before any fix is applied, you are shown a confirmation dialog explaining what will be changed.
Every fix includes built-in safety measures:
Some antivirus engines may flag XUI Auditor as potentially malicious. This section explains why this happens and how to verify the file is safe.
XUI Auditor is built with Python and packaged into a standalone .exe using PyInstaller. This packaging process bundles a Python interpreter and all dependencies into a single executable. At runtime, the file unpacks these components into a temporary directory and executes them.
This unpack-and-execute pattern is similar to how some malware packers operate, which causes heuristic-based and AI-based antivirus engines to flag the file as suspicious — even though the behavior is completely legitimate. This is a well-known industry issue that affects thousands of legitimate Python applications distributed as .exe files.
XUI Auditor v0.4.1 scores 68/71 clean on VirusTotal. The 3 detections are generic heuristic labels — not specific malware signatures:
| Engine | Detection | Type |
|---|---|---|
| Bkav Pro | W64.AIDetectMalware |
Generic AI heuristic — high false-positive rate across all PyInstaller apps |
| CrowdStrike Falcon | Win/malicious_confidence_60% (D) |
Low-confidence ML heuristic — common on packed/PyInstaller executables |
| SecureAge | Malicious |
Generic label with no specific malware identification |
No engine identifies a specific malware family, trojan, or exploit. Major vendors like ESET, Kaspersky, Norton, Malwarebytes, Bitdefender, Avast, and Microsoft Defender mark it as clean.
Every release includes a SHA-256 hash so you can verify the file has not been tampered with. Open a terminal and run:
certutil -hashfile XUI_Auditor.exe SHA256Compare the output against the official hash for your version:
| Version | SHA-256 |
|---|---|
v0.4.1 |
8a9dd68fb2cf291cd575ff7baefaeb2c6308a67d4894d76617bb1d871f407ed2 |
XUI_Auditor.exe to your exclusion/whitelistStarting from v0.2.1, the executable includes embedded version information (visible in Properties → Details on Windows):
This metadata helps antivirus engines identify the file as a legitimate application and reduces false-positive rates.
Authorized Use Only. XUI Auditor is designed exclusively for use by system administrators and authorized personnel on panels they own or have explicit written permission to audit. You are solely responsible for ensuring that your use of this tool complies with all applicable local, state, national, and international laws and regulations. Unauthorized scanning or testing of systems you do not own or have permission to test may violate computer fraud and abuse laws.
No Warranty. This software is provided "AS IS" and "AS AVAILABLE", without warranty of any kind, express or implied, including but not limited to the warranties of merchantability, fitness for a particular purpose, and non-infringement. The developers make no guarantee that the tool will detect all vulnerabilities, that scan results will be accurate or complete, or that applied fixes will resolve all security issues.
Limitation of Liability. In no event shall the authors, developers, or distributors of XUI Auditor be liable for any direct, indirect, incidental, special, consequential, or exemplary damages — including but not limited to loss of data, loss of revenue, service interruption, server downtime, or unauthorized access — arising out of or in connection with the use or inability to use this software, even if advised of the possibility of such damages.
Automatic Fixes. The "Apply Fix" feature modifies panel configuration, database records, and/or server settings. Starting from v0.4.0, every fix creates a server-side snapshot, runs post-fix health checks, and supports one-click rollback. Despite these safety measures, the user assumes full responsibility for reviewing and applying fixes. The developers are not responsible for any unintended side effects, service disruption, or data loss resulting from applied fixes.
Third-Party Systems. XUI Auditor interacts with third-party software (Xtream UI, MySQL, Linux services). The developers are not affiliated with, endorsed by, or responsible for any third-party software. Compatibility, behavior, and results may vary depending on panel version, server configuration, and environment.
⚠️ IMPORTANT: Always create a database backup before applying fixes. XUI Auditor provides a one-click backup feature (Full edition) that creates a complete MySQL dump of your panel's database.
By downloading, installing, or using XUI Auditor, you acknowledge that you have read, understood, and agree to be bound by the terms outlined above.