Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Confluence Stop and no start

WayApp Inc
WayApp Inc April 23, 2019

[confluence@www bin]$ sh start-confluence.sh -fg

executing as current user

If you encounter issues starting up Confluence, please see the Installation guide at http://confluence.atlassian.com/display/DOC/Confluence+Installation+Guide

 

Server startup logs are located in /opt/atlassian/confluence/logs/catalina.out

Using CATALINA_BASE:   /opt/atlassian/confluence

Using CATALINA_HOME:   /opt/atlassian/confluence

Using CATALINA_TMPDIR: /opt/atlassian/confluence/temp

Using JRE_HOME:        /opt/atlassian/confluence/jre/

Using CLASSPATH:       /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar

Using CATALINA_PID:    /opt/atlassian/confluence/work/catalina.pid

23-Apr-2019 13:03:16.937 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server} Setting property 'debug' to '0' did not find a matching property.

23-Apr-2019 13:03:17.381 WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'debug' to '0' did not find a matching property.

23-Apr-2019 13:03:17.422 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine} Setting property 'debug' to '0' did not find a matching property.

23-Apr-2019 13:03:17.488 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'debug' to '0' did not find a matching property.

23-Apr-2019 13:03:17.689 WARNING [main] org.apache.tomcat.util.digester.SetPropertiesRule.begin [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '0' did not find a matching property.

23-Apr-2019 13:03:19.506 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["http-nio-8090"]

23-Apr-2019 13:03:19.596 INFO [main] org.apache.tomcat.util.net.NioSelectorPool.getSharedSelector Using a shared selector for servlet write/read

23-Apr-2019 13:03:19.623 INFO [main] org.apache.catalina.startup.Catalina.load Initialization processed in 3127 ms

23-Apr-2019 13:03:19.759 INFO [main] org.apache.catalina.core.StandardService.startInternal Starting service Tomcat-Standalone

23-Apr-2019 13:03:19.759 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Starting Servlet Engine: Apache Tomcat/8.0.39

Killed

[confluence@www bin]$

Answer
Watch
Like Be the first to like this
675 views

4 answers

0 votes
Diego
Diego
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 23, 2019

Hello there! Thanks for providing your logs. As I understand, your application tries to come up and is killed right after. Is that correct?

Based on your symptoms, it sounds like your instance might be affected by an opportunistic attack against the CVE-2019-3396 Widget Connector vulnerability from March 20th (see Confluence Security Advisory - 2019-03-20). We've seen an infection going around that injects malware and the bitcoin miner it tries to run uses all the CPU available on the box. Initially the kerberods malware was being deployed as the payload, but other attacks might be trying to inject different payloads.

I'd recommend tackling things in this order:

  1. Kill malicious processes
  2. Clean up your crontab
  3. Upgrade Confluence
  4. Use a malware scanner to find remaining malware traces

Malicious processes

The top command will help you find processes (probably running under the confluence user account) that are consuming a large amount of CPU. If Confluence is currently stopped, you can probably plan on killing any processes running as the confluence user. note the process ID (pid) from the top output and then kill the process using kill -9 followed by the pid. Example:

sudo kill -9 12395

Clean up your crontab

Since most malware adds a cronjob that relaunches the malware every few minutes, you'll also need to check the crontab file and remove any suspicious-looking entries. For Ubuntu, this is stored in the /var/spool/cron/crontabs/ directory. Normally you should use the crontab command to edit the crontab, but for cleanup purposes we'll be inspecting the file for any pre-existing entries.

Using vim (or whichever text editor you're comfortable with), you'll open the file and remove suspicious-looking jobs.

sudo vim /var/spool/cron/crontabs/confluence

Confluence comes up on system startup through the SysV/systemd daemons, so we would expect the confluence user's crontab to not exist under normal circumstances. It's most likely the case that any entries in this file are malicious, but make sure you check them before deleting them entirely.

Upgrade Confluence

Once your CPU is under control and new malicious process aren't spawning, you need to upgrade Confluence to a version that isn't affected by the vulnerability. I'd recommend looking at one of these versions (latest releases as of this post):

Use a malware scanner

Finally, you need to clean up any remaining traces of malware on your system. The LSD malware cleanup tool will be useful for removing the Kerberods malware. Other malware payloads might need different cleanup tools depending on which attack and payload were used. A good starting place for detecting other types of infections are the scanners linked here. Once a particular infection is identified, googling for "____ removal tool" is a good place to start if the scanner was unable to remove the malware automatically.

Reply
0 votes
JP _AC Bielefeld Leader_
JP _AC Bielefeld Leader_
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
April 23, 2019

Which Confluence version are you using? You might have been hacked...

https://community.atlassian.com/t5/Confluence-questions/Confluence-process-killed-at-startup/qaq-p/1058018

Best

JP

Reply
0 votes
WayApp Inc
WayApp Inc April 23, 2019

/opt/atlassian/confluence/bin/catalina.sh: line 575:  2887 Killed                  "/opt/atlassian/confluence/jre//bin/java" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Djava.endorsed.dirs="/opt/atlassian/confluence/endorsed" -classpath "/opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar" -Dcatalina.base="/opt/atlassian/confluence" -Dcatalina.home="/opt/atlassian/confluence" -Djava.io.tmpdir="/opt/atlassian/confluence/temp" org.apache.catalina.startup.Bootstrap configtest

Configuration error detected!

Reply
0 votes
WayApp Inc
WayApp Inc April 23, 2019

If you encounter issues starting up Confluence, please see the Installation guide at http://confluence.atlassian.com/display/DOC/Confluence+Installation+Guide

 

Server startup logs are located in /opt/atlassian/confluence/logs/catalina.out

Using CATALINA_BASE:   /opt/atlassian/confluence

Using CATALINA_HOME:   /opt/atlassian/confluence

Using CATALINA_TMPDIR: /opt/atlassian/confluence/temp

Using JRE_HOME:        /opt/atlassian/confluence/jre/

Using CLASSPATH:       /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar

Using CATALINA_PID:    /opt/atlassian/confluence/work/catalina.pid

Server version: Apache Tomcat/8.0.39

Server built:   Nov 9 2016 08:48:39 UTC

Server number:  8.0.39.0

OS Name:        Linux

OS Version:     4.14.33-51.37.amzn1.x86_64

Architecture:   amd64

JVM Version:    1.8.0_112-b15

JVM Vendor:     Oracle Corporation

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security