Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Recover data from version 6.4

marigonda
marigonda April 14, 2019

Hello

My Confluence server was out of date and got compromised by a payload submitted probably by a worm or some other sort of hacking tool.

Since it's a small box with only three users and I cannot trust in the older box to do a new setup by upgrading it, I decided to rebuild the environment from scratch, using a fresh setup. 

But  I'm not even able to setup the new version to use PostgreSQL!!! It seems that there is not such an option anymore... is there?

I have database backups and I cannot afford to copy application-data  directory "as is", I will need to check every file before transferring it...
I'd appreciate if anyone could give me an overview on how to do this.

 

Answer
Watch
Like Be the first to like this
704 views

1 answer

1 vote
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 15, 2019

Hi Joao,

Are you getting a particular error when trying to set up Confluence with PostgreSQL? Worth noting that Confluence currently supports PostgreSQL 9.6 but not the 10 or 11 releases. A full list of supported databases can be found here.

In terms of infected files, it's likely that what you've described is an active exploit that attacks the CVE-2019-3396 Widget Connector vulnerability from March 20th (see Confluence Security Advisory - 2019-03-20). You can use the LSD malware cleanup tool  for removing the Kerberods malware. I would recommend executing cleanup after upgrading Confluence to a patched version so there's no possibility of re-infection while you work on the upgrade.

Between the malware removal tool and clamav, I'd think you have a good chance of cleaning the current server (but definitely upgrade Confluence).

Please let me know if you have more questions!
Daniel | Atlassian Support

View More Comments
marigonda
marigonda April 15, 2019

Hello Daniel

Thanks for your help.

I'm aware that my box was outdated. Fortunately, it was monitored and we could detect and act quickly to stop the threat...

The question I sent here came from the fact that we opted to start from a brand new environment (since this was already a task we were intended to execute...). So, I started with a trial setup and the mistake was that I didn't realize that in this mode the system uses an internal database... But after importing my last backup and setting the license into it a message arose saying that it was going to be necessary to reinstall the system using an external supported database...... That's it! Maybe it would be a good idea to rethink this requirement (why not to be able to set up a PostgreSQL in trial mode?).

About the hack, just in case anyone else experiences such problem, the payload started a script called watchbog to brute force my root password... It was really difficult to stop it: I had to make a recurrent script to pkill the process and then I realized that by removing confluence user from the system it was not able to reborn from hell anymore... Once control was taken, I took a look at user profile and files (confluence user home, setup and app_data folder). It seems that it messed up within ./plugins-osgi-cache/felix folder content... I do not need any further details but If you would like to do an investigation I can provide you access to the box...

Thanks again

Joao C. Marigonda

Like
Daniel Eads
Daniel Eads
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
April 15, 2019

Hi Joao,

Here's a screenshot of the install wizard:image.png

The explanation text reads "Choose this option if you want to try Confluence. We'll set up a trial database for you. The embedded database is for evaluation only. Later you'll need to migrate to your own external database."

I can see how this could be overlooked though as the text is smaller than then header and it's the top option.

We do have a documented process for converting the embedded database to PostgreSQL however! It is documented on this knowledgebase article. Given your server size and that you recently upgraded, instead of step #4 in the article, I would recommend:

  1. Shut down Confluence
  2. Remove the <confluence_home>/confluence.cfg.xml file
  3. Start Confluence - it will run the new installation wizard and let you continue with step #5

This will save you a little time having to create a new directory and running the installer again. Let me know if you have questions about this!

 

Thank you for providing the extra details about your cleanup steps! This is definitely helpful to hear about and will help other people in the same situation.

Cheers,
Daniel

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security