Inactive Stasis app 'hey' missed message

I’m asking for the output of

fwconsole setting FPBX_ARI_PASSWORD

If you have multiple systems with the same output, indicate count instead of sending the same string over and over

Email sent

BTW, the results of that command are also the same as what is visible in plain text within /etc/amportal.conf

Interestingly, the commented out ‘Default Value’ line for the ‘ARI Password’ in the amportal.conf file shows a DIFFERENT value for my 2 systems, however, the actual un-commented FPBX_ARI_PASSWORD value is the SAME on both - Does this indicate that value has been changed on both system at some point ?

The content of amportal.conf is not really relevant, it’s no longer used by FreePBX, but remains as a legacy only for old third party integrations that parse it’s content for passwords and such. I’m not sure under what circumstances you end up with commented out ari passwords there.

ok, it does match the CLI response, so I guess its kept in sync ?

That section of the file has commented headings, each with a commented ‘Default Value’ line after (which are different across my 2 systems), then the actual live value line after that (which are the same across my 2 systems).

I only mentioned this because there was some debate earlier in this thread about whether the value in that file was the actual freepbxuser password in plain text (& a way to see an unencrypted version of the one in /etc/asterisk/ari_additional.conf) & these files on my systems seem to suggest that it is.

How I can change ARI password correct??
My pass on

fwconsole setting FPBX_ARI_PASSWORD
Setting of “FPBX_ARI_PASSWORD” is (text)[136…10d3]

So where are we with all this? I don’t see any of the impacted people providing more details about their setups. Anyone have logs of what happened? @lgaetz Have others provided you with the ARI password details yet?

New version out…

– Inactive Stasis app ‘HeyNigga’ missed message

What logs can I send to end this?

Just found this in the full log from the 10th
[2023-02-10 03:30:02] NOTICE[149259] ari/ari_websockets.c: Problem occurred during websocket write to 23.94.237.197:62231, websocket closed
repeating.
Looks like it started on the 6th but wasn’t giving the missed message until the weekend

Yes, same attack I believe - They attacked 2 of my systems last weekend (04-Feb), each of the system had 2 malicious connections & one of the instances had this name also.

I think with each connection they can either re-activate the original ‘hey’ stasis app (if it’s dormant), or start a new one with a different name.

You can use the following command to expose the start/end times of each instance;

grep 'Creating Stasis app\|Activating Stasis app\|Deactivating Stasis app' /var/log/asterisk/full*

image

Please note that the following Stasis Apps might exist if you have Zulu installed/running (ie. If so, these are part of FreePBX & not malicious) & get stopped/started during a reboot - These are NOT instances of this attack;

  • bridges-handler
  • zulu-desktop-call-processing
  • zulu-mobile-call-answer-processing
  • zulu-mobile-call-push-processing

You can also see if/what ARI related Apps are still there using the following command;

asterisk -x "stasis show topics" | grep 'ari:'

image

NB. If you copy/paste the above commands, you might have to overtype the single/double quotes in your CLI, as this Web Page changes those chars to something you CLI might complain about.

QFT
Use backquotes to prevent the forum from butchering.

Thanks for the heads-up on those web formatting issues when posting CLI commands - I’ve edited my post to use ‘Preformatted text’ instead of ‘blockquote’

Curious. Did anyone who doesn’t have Zulu installed get hacked?
Looked today at a v15 that doesn’t have Zulu/SangomaConnext (not super updated) and jt doesn’t have any of these ARI apps:

^Also curious what the first one is.

My appliances are PBXact & so Zulu/SangomaConnect is bundled & used, therefore enabled (Zulu not so much now that the SangomaConnect Apps have evolved somewhat.

@wwenthin and @MAWalker new hacks means this time you should have logs. We need to see logs from /var/log/asterisk/full and anything else like message/syslogs, etc around the time of the hacks.

You guys did check your systems right? I mean you checked to see if there was anything else fishy on them? If these bad actors actually got access in some way, they could have left something on the system that calls home for them and opens up a hole in firewalls.

Or if they are really clever, I mean cleverer than us, they might have left nothing :wink:

Or you know, they modify existing files or add files to places that look like they belong there but don’t. Both of those cases have happened with past exploits. Hiding in plain sight is quite clever too. :thinking:

I never said I had ‘new hacks’ !!!

I simply explained that one of the original malicious ARI connections that I experienced used the App name that @wwenthin referred to as a ‘new version’ - I also suggested that it wasn’t a ‘new version’ of this attack, but the same attack, they just used a different App name in some instances.

In my case, the only WebRTC port I originally had exposed was 8089, which I assume is what they used, but I disabled that as soon as I found out about the attack 1-week ago & I’ve NOT had any additional connections like this since.

I feel like we’ve been over this already.

I already showed the log entries for one of the original malicious connections I experienced (which happened on 04-Feb) earlier in this thread, the other malicious connections didn’t show anything different, just more of the same. It’s been over a week now, for me & so the original log entries are being/have rotated away. I’ve not seen anyone else’s log entries during their attacks, not sure if/what they might show different to mine.

Here is my submission again

Screenshots of a few lines is not really what we would be looking for. Unfortunately, this was reported roughly a month ago by people and in that time only about 10-ish users have reported this problem. Nothing so far has shown any link between them in regards to FreePBX configuration or anything. We’ve asked for more information and pretty much 90% of the users reporting this issue have gone silent.

Makes all this very hard to sort out.

One interesting aspect on the systems I investigated was that the attacker did not appear to attempt any calls. So at first I thought it was some sort of way to collect information from FreePBX and exfiltrate it from the system.

To address the points made by @BlazeStudios and @dicko, as you may remember, I have had the unfortunate privilege of digging into a few annoying hacks and thus have some pretty good ideas of where to look for scripts and cron entries that don’t belong. Here I found nothing. Of course I could be overlooking something cleverly hidden, but in the past the hacks left an obvious mess and I don’t see why the usual PBX-hacking thugs would be so much more sophisticated in hiding their work this time.

Those were ALL the log entries for during the life of that particular Connection/Stasis App. I did offer to look elsewhere for additional information, but no-one offered any suggestions of where/what to look for.

I think you mentioned potential log entries that might relate to the [freepbxuser] password being changed via some external utility, but I couldn’t find any references to that on my systems.

In my cases, across 2 different PBXact systems (both with 8089 open at the time), they appeared to be repeatedly attempting to dial the following Tel No;

Tel-No: 0039 0975 1 960598 ← 0975 = Sala Consilina, Italy (Province of Potenza)

The question still remains if/how they were able to authenticate with the built-in [freepbxuser] account (the only ARI account on my systems) which has a long/complex password. It’s also curious that this appears to be the same PW on both my affected systems & @dicko suggested he had the same one on some of his.

Was the password accessible somehow OR are there a set of commonly used/known ones across different FreePBX/Asterisk installations, if so can the default be changed without breaking something within FreePBX.

@lgaetz has asked for affected people to send him their PW’s to see how many duplicates he can find - It’ll be interesting to know the results of that (I hope a decent number of affected people have made a submission to him)