You're on your way to the next level! Join the Kudos program to earn points and save your progress.
Level 1: Seed
25 / 150 points
1 badge earned
Challenges come and go, but your rewards stay with you. Do more to earn more!
What goes around comes around! Share the love by gifting kudos to your peers.
Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!
Join now to unlock these features and more
I just upgrade Confluence DC to 8.3.4 from 8.3.3 yesterday. (3/Nov/2023)
Then I find a plugin named "Web Shell Plugin" in user-installed apps.
I did not install this plugin manually.
I am not sure whether it is in the apps list, when Confluence DC is 8.3.3.
Is it a Atlassian plugin within Confluence DC itself? It seems a malware.
It's not a free plugin. I just disabled it.
And it's not a valid url when I click "buy now".
I could not find this plugin in Atlassian Marketplace.
Has my Confluence instance been hacked?
we were attacked last friday 03/11. Confluence was in 8.5.2 since one week (upgraded from 7.18). This monday morning confluence seems to be reseted. Normally we use a plugin with Redifined and not at this time. The clean blue design of Confluence. We are unable to login (usually it's SSO by AAD) After checking the log we detected theses lines :
2023-11-03 08:52:25,223 ERROR [http-nio-8090-exec-6 url: /json/setup-restore.action] [confluence.importexport.actions.SetupRestoreAction] validate Could not locate the backup you wish to restore:
Was made by an attacker, the hacker reseted our instance. We restored from a backup from thursday 02/11 and immediatly upgraded to 8.5.3 fixed version... We only lost one day of data (friday).
Same thing for us, Confluence 8.5.2 was not fixed for the security issue.
If you running similar issue like @Julian from AF , I would suggest a solution as following:
1> Recover new Admin password, you guys can check at here (https://www.cnblogs.com/zdxster/p/5345215.html), for 8.5.2 version, please use PKCS5S2 . Also use google translate for this Chinese site.
2> Restore immediately from your latest backup.
3> Upgrade to 8.5.3 immediately
Also, we use Cloudflare for Confluence, we make more restrictions on IPs range to access and other type of access. (Config for Cloudflare, please check it here: https://lastcallmedia.com/blog/how-use-cloudflares-free-flexible-ssl-jira-and-confluence-server-apache-and-proxypass)
Hope it would help.
yes, it was an attack, and from the look of it, a sucessfull one so you should probably get in touch with the atlassian support as soon as possible.