All info from their website.

It uses bruteforce and predfined/stolen passwords. (its simple to STOP HACKING PANELS)
The reason why you must disable "flood limit" as this app check and switch to new proxy once it got blocked. And you must use new proxies list every 5minutes.
how to fight with this
THE ANSWEAR IS "BLOCK WITH IPTABLES ADMIN PORT".

And add allowed IP withing to admin panel .
Best way is to buy dedicated server, install openvpn server. and allow only this server ip and provide resellers with keys for openvpn.
Or buy cheap sh"$" servers for 10e and use couple of private openvpn servers to host allowed ip.
and dont forget to add in settings
Maximum Login Attempts :2 

iptables -F
then
apt-get install iptables-persistent
service netfilter-persistent save
service netfilter-persistent reload

if you get command not found then enter ( since ubuntu 16 it was changed to netfilter). older distros will be called in old name. Like this one below.
service iptables-persistent save
service iptables-persistent reload

Now buy vpn with STATIC IP ADDRESS. IMPORTANT
enter:
iptables -A INPUT -s 127.0.0.1 -p ALL -j ACCEPT

next:
iptables -A INPUT -s YOURS_STATCI_IP -p ALL -j ACCEPT
next all LB ip divided with comma. You list enter all ips and enter them all at once.

iptables -A INPUT -s 111.111.111.111,222.222.222.222, -p ALL -j ACCEPT
next:
iptables -A INPUT -s RESELLER_IP -p ALL -j ACCEPT

Now if you enter
sudo iptables -L --line-numbers

you will get rules with corresponding number. (1,2,3... etc)
Now we are going to protect server ( disables ping request and blocking admin port and SSH port)

iptables -A INPUT -p icmp --icmp-type echo-request -j DROP
iptables -A INPUT -p tcp -m tcp --dport 25500 -j REJECT
iptables -A INPUT -p tcp -m tcp --dport 22 -j REJECT

NOW VERY IMPORTANT WE MUST S IPTABLES RULES

service netfilter-persistent save
AND
service netfilter-persistent reload

AFTER EACH REBOOT SERVER WILL KEEP IPTABLES.
You can also block countries with shortcuts
iptables -A INPUT -m geoip --src-cc CN,TW -j DROP
And again
service netfilter-persistent save
service netfilter-persistent reload




*******
ADD IPTABLES AS MENSIONED ABOVE TO ALL OF YOUR SERVERS
MAIN SERVER + ALL LOAD BALANCERS YOU GOT *****

#3
Next thing to do is to login in to mysql database.
Go to
xtreamiptv_pro --> reg_users
~
Edit first users (it will be admin account with ID -1)
Now change ID-1 to random high number.
Even if you get mysql injection, attacks are focused on ID-1 ( which is alwayes ADMIN)

#4
Another fix, locate php.ini in xtreamcodes folder, php. ( you can do this in all of your servers all main + LB)
edit file and add right on the bottom
disable_function = exec,passthru,shell_exec,system,proc_open,popen,curl_multi_exec,parse_ini_file,show_source
Click save.
Reboot server

If you havent added to cron /etc/init.d/xtreamcodes after reboot
Just after main server reboot log via ssh and enter command as root
/etc/init.d/xtreamcodes after reboot

#5
if you been hacked. Backup dbs.

RE INSTALL FRESH OS ON THE SERVERS and reinstall panel with IPTABLES IN PLACE as mensioned above.
ADD IPTABLES AS MENSIONED ABOVE TO ALL OF YOUR SERVERS
MAIN SERVER + ALL LOAD BALANCERS YOU GOT