Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root


1 badge earned


Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!


Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.


Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!


A plugin named "Web Shell Plugin" in Confluence DC user installed apps, is it a malware?


I just upgrade Confluence DC to 8.3.4 from 8.3.3 yesterday. (3/Nov/2023)

Then I find a plugin named "Web Shell Plugin" in user-installed apps.

I did not install this plugin manually.

I am not sure whether it is in the apps list, when Confluence DC is 8.3.3.


Is it a Atlassian plugin within Confluence DC itself? It seems a malware.


It's not a free plugin. I just disabled it.

And it's not a valid url when I click "buy now".

I could not find this plugin in Atlassian Marketplace.



Has my Confluence instance been hacked?


4 answers

1 accepted

I checked the audit log in admin console.

There are some unusual "permission added" records in the log.

And the plugin was installed by someone unexpected.




So we could check the audit log to find evidence.




we were attacked last friday 03/11. Confluence was in 8.5.2 since one week (upgraded from 7.18). This monday morning confluence seems to be reseted. Normally we use a plugin with Redifined and not at this time. The clean blue design of Confluence. We are unable to login (usually it's SSO by AAD) After checking the log we detected theses lines : 

2023-11-03 08:52:25,223 ERROR [http-nio-8090-exec-6 url: /json/setup-restore.action] [confluence.importexport.actions.SetupRestoreAction] validate Could not locate the backup you wish to restore:

Was made by an attacker, the hacker reseted our instance. We restored from a backup from thursday 02/11 and immediatly upgraded to 8.5.3 fixed version... We only lost one day of data (friday).

Henry Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Nov 14, 2023

Same thing for us, Confluence 8.5.2 was not fixed for the security issue.

If you running similar issue like @Julian from AF , I would suggest a solution as following:

1> Recover new Admin password, you guys can check at here (, for 8.5.2 version, please use PKCS5S2 . Also use google translate for this Chinese site. 

2> Restore immediately from your latest backup.

3> Upgrade to 8.5.3 immediately

Also, we use Cloudflare for Confluence, we make more restrictions on IPs range to access and other type of access. (Config for Cloudflare, please check it here:

Hope it would help.

Hello Michael,

yes, it was an attack, and from the look of it, a sucessfull one so you should probably get in touch with the atlassian support as soon as possible.

see "" for more information


Hi, @Michael Krause 

Yes, u r right.

I noticed this security issue, so I upgraded Confluence from 8.3.3 to 8.3.4.

0 votes
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Nov 04, 2023

It seems not like a normal app the best to do is uninstall it.


It's a normal plugin providing web shell function.

But it‘s installed by hacker, so I have uninstalled it.

Thanks, ROC!

Suggest an answer

Log in or Sign up to answer
AUG Leaders

Atlassian Community Events