Are you in the loop? Keep up with the latest by making sure you're subscribed to Community Announcements. Just click Watch and select Articles.

×
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

A plugin named "Web Shell Plugin" in Confluence DC user installed apps, is it a malware?

Edited
Michael Gates
Michael Gates Nov 04, 2023

I just upgrade Confluence DC to 8.3.4 from 8.3.3 yesterday. (3/Nov/2023)

Then I find a plugin named "Web Shell Plugin" in user-installed apps.

I did not install this plugin manually.

I am not sure whether it is in the apps list, when Confluence DC is 8.3.3.

 

Is it a Atlassian plugin within Confluence DC itself? It seems a malware.

 

It's not a free plugin. I just disabled it.

And it's not a valid url when I click "buy now".

I could not find this plugin in Atlassian Marketplace.

webshellplugin.jpg

 

Has my Confluence instance been hacked?

 

Answer
Watch
Like Be the first to like this
1659 views

4 answers

1 accepted

0 votes
Answer accepted
Michael Gates
Michael Gates Nov 04, 2023 • edited

I checked the audit log in admin console.

There are some unusual "permission added" records in the log.

And the plugin was installed by someone unexpected.

 

Snipaste_2023-11-04_17-53-30.jpg

 

So we could check the audit log to find evidence.

 

Thanks!

Reply
0 votes
Julian from AF
Julian from AF Nov 09, 2023 • edited

Hello,

we were attacked last friday 03/11. Confluence was in 8.5.2 since one week (upgraded from 7.18). This monday morning confluence seems to be reseted. Normally we use a plugin with Redifined and not at this time. The clean blue design of Confluence. We are unable to login (usually it's SSO by AAD) After checking the log we detected theses lines : 

2023-11-03 08:52:25,223 ERROR [http-nio-8090-exec-6 url: /json/setup-restore.action] [confluence.importexport.actions.SetupRestoreAction] validate Could not locate the backup you wish to restore:

Was made by an attacker, the hacker reseted our instance. We restored from a backup from thursday 02/11 and immediatly upgraded to 8.5.3 fixed version... We only lost one day of data (friday).

View More Comments
Henry Nguyen
Henry Nguyen
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
Nov 14, 2023

Same thing for us, Confluence 8.5.2 was not fixed for the security issue.

If you running similar issue like @Julian from AF , I would suggest a solution as following:

1> Recover new Admin password, you guys can check at here (https://www.cnblogs.com/zdxster/p/5345215.html), for 8.5.2 version, please use PKCS5S2 . Also use google translate for this Chinese site. 

2> Restore immediately from your latest backup.

3> Upgrade to 8.5.3 immediately


Also, we use Cloudflare for Confluence, we make more restrictions on IPs range to access and other type of access. (Config for Cloudflare, please check it here: https://lastcallmedia.com/blog/how-use-cloudflares-free-flexible-ssl-jira-and-confluence-server-apache-and-proxypass)

Hope it would help.

Like
Reply
0 votes
Michael Krause
MK Nov 08, 2023

Hello Michael,

yes, it was an attack, and from the look of it, a sucessfull one so you should probably get in touch with the atlassian support as soon as possible.

see "https://confluence.atlassian.com/security/cve-2023-22518-improper-authorization-vulnerability-in-confluence-data-center-and-server-1311473907.html" for more information

Regards

View More Comments
Michael Gates
Michael Gates Nov 08, 2023 • edited Nov 14, 2023

Hi, @Michael Krause 

Yes, u r right.

I noticed this security issue, so I upgraded Confluence from 8.3.3 to 8.3.4.

Like
Reply
0 votes
ROC
ROC
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
Nov 04, 2023

It seems not like a normal app the best to do is uninstall it.

View More Comments
Michael Gates
Michael Gates Nov 06, 2023

Yes!

It's a normal plugin providing web shell function.

But it‘s installed by hacker, so I have uninstalled it.

Thanks, ROC!

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

See all events