Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

A plugin named "Web Shell Plugin" in Confluence DC user installed apps, is it a malware?

Michael Gates
Michael Gates November 4, 2023

I just upgrade Confluence DC to 8.3.4 from 8.3.3 yesterday. (3/Nov/2023)

Then I find a plugin named "Web Shell Plugin" in user-installed apps.

I did not install this plugin manually.

I am not sure whether it is in the apps list, when Confluence DC is 8.3.3.

 

Is it a Atlassian plugin within Confluence DC itself? It seems a malware.

 

It's not a free plugin. I just disabled it.

And it's not a valid url when I click "buy now".

I could not find this plugin in Atlassian Marketplace.

webshellplugin.jpg

 

Has my Confluence instance been hacked?

 

Answer
Watch
Like Be the first to like this
2634 views

4 answers

1 accepted

0 votes
Answer accepted
Michael Gates
Michael Gates November 4, 2023

I checked the audit log in admin console.

There are some unusual "permission added" records in the log.

And the plugin was installed by someone unexpected.

 

Snipaste_2023-11-04_17-53-30.jpg

 

So we could check the audit log to find evidence.

 

Thanks!

Reply
0 votes
Julian from AF
Julian from AF November 9, 2023

Hello,

we were attacked last friday 03/11. Confluence was in 8.5.2 since one week (upgraded from 7.18). This monday morning confluence seems to be reseted. Normally we use a plugin with Redifined and not at this time. The clean blue design of Confluence. We are unable to login (usually it's SSO by AAD) After checking the log we detected theses lines : 

2023-11-03 08:52:25,223 ERROR [http-nio-8090-exec-6 url: /json/setup-restore.action] [confluence.importexport.actions.SetupRestoreAction] validate Could not locate the backup you wish to restore:

Was made by an attacker, the hacker reseted our instance. We restored from a backup from thursday 02/11 and immediatly upgraded to 8.5.3 fixed version... We only lost one day of data (friday).

View More Comments
Henry Nguyen
Henry Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 14, 2023

Same thing for us, Confluence 8.5.2 was not fixed for the security issue.

If you running similar issue like @Julian from AF , I would suggest a solution as following:

1> Recover new Admin password, you guys can check at here (https://www.cnblogs.com/zdxster/p/5345215.html), for 8.5.2 version, please use PKCS5S2 . Also use google translate for this Chinese site. 

2> Restore immediately from your latest backup.

3> Upgrade to 8.5.3 immediately


Also, we use Cloudflare for Confluence, we make more restrictions on IPs range to access and other type of access. (Config for Cloudflare, please check it here: https://lastcallmedia.com/blog/how-use-cloudflares-free-flexible-ssl-jira-and-confluence-server-apache-and-proxypass)

Hope it would help.

Like
Reply
0 votes
Michael Krause
MK November 8, 2023

Hello Michael,

yes, it was an attack, and from the look of it, a sucessfull one so you should probably get in touch with the atlassian support as soon as possible.

see "https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html" for more information

Regards

View More Comments
Michael Gates
Michael Gates November 8, 2023

Hi, @Michael Krause 

Yes, u r right.

I noticed this security issue, so I upgraded Confluence from 8.3.3 to 8.3.4.

Like
Reply
0 votes
ROC
ROC
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
November 4, 2023

It seems not like a normal app the best to do is uninstall it.

View More Comments
Michael Gates
Michael Gates November 6, 2023

Yes!

It's a normal plugin providing web shell function.

But it‘s installed by hacker, so I have uninstalled it.

Thanks, ROC!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events