Inactive Stasis app 'hey' missed message

I’m seeing this on two of my servers after the latest updates to core and framework. Oddly though I don’t see this on other servers. The two in question are both running Zulu, Sangoma connect and phone apps. These are also the only ones running VPN for remote phones.

I do have a couple others running the same without the VPN component and they do not have this message spamming the console 3 or so times a second. Does anyone know what this app hey is?

Might be a new exploit that is somehow taking advantage of ARI.

... bunch of normal logs and then ...
[2023-01-05 15:43:26] VERBOSE[24988] stasis/app.c: Creating Stasis app 'hey'
[2023-01-05 15:43:26] VERBOSE[24988] res_http_websocket.c: WebSocket connection from '139.144.35.125:63531' for protocol '' accepted using version '13'

(ip listed is some random Linode vm)

Later:

[2023-01-05 15:56:28] ERROR[24988] res_http_websocket.c: Error reading from web socket: Connection reset by peer
[2023-01-05 15:56:28] WARNING[24988] ari/ari_websockets.c: WebSocket read error: Connection reset by peer
[2023-01-05 15:56:28] VERBOSE[24988] stasis/app.c: Deactivating Stasis app 'hey'

and then you start getting

[2023-01-05 15:56:39] VERBOSE[24990] stasis/app.c: Inactive Stasis app 'hey' missed message

in Asterisk:

*CLI> stasis show topics

Name                                                             Detail                                                          
ari:application/hey    
...
*CLI> stasis show topic ari:application/hey 
Name: ari:application/hey
Detail: 
Subscribers count: 1
Forwarding topic count: 2
Duration time: 190:19:38

and

*CLI> ari show app hey 
Name: hey
  Debug: Yes
  Subscription Model: Global Resource Subscription
  Subscriptions: 3
    Channels:
      __AST_CHANNEL_ALL_TOPIC (1)
    Bridges:
      __AST_BRIDGE_ALL_TOPIC (1)
    Endpoints:
      __AST_ENDPOINT_ALL_TOPIC (1)

I’m unfamiliar with these components of Asterisk but it looks like at least an attempt at exfiltrating information from the PBX. Not sure what all can be gained here, but best to close this off until the root cause is figured out.

In order for an external host to create an ARI app, the asterisk http/https services would need to be reachable, they should be blocked by default in the firewall. They would also need to know ARI credentials.

On the server I am investigating, Settings → Asterisk REST Interface Users has no users listed.

The ari_additional.conf file has only a freepbxuser with encrypted password.

I’m puzzled at the moment. @wwenthin do you have any more clues?

This show nothing for me BUT… early this morning I executed fwconsole reload The messages seemed to have stopped with that. I also pushed asterisk up to 18 certified LTS on both systems.
After this I started seeing this at least once a second until I firewalled them to oblivion: WARNING[235581] res_pjsip_registrar.c: Endpoint ‘anonymous’ (135.181.233.61:53051) has no configured AORs

Not really sure if that was someone that is sitting at home now wondering where they phones went or part of the previous fun.

Hello, got 4 PBX hacked here too, they are somehow bypassing ARI authentication and placing calls this way
Also somehow on some of the PBXs i found 8088 port open to the internet even if firewall was active and set to trust only local IPs

I see it being open because of a rule named “webrtc”

If you are using a certified version of Asterisk, you should be using the support contract for which you obtained it. If you don’t have such a contract, you should be using the latest, non-certified version.

I have in the meanwhile sent an abuse complaint to Linode, i’ve checked and the IP in my case is the same as posted by @billsimon
For now everyone should absolutely check that 8088 is actually closed from outside and preferably use a separate firewall in front of it while it is figured out how it happened

In my case it has been used to place 0.60€ / min calls to Africa

Same problem here on a freepbx box of a client… posting here so will get email if something is posted…