Hello! I have Confluence on my server ver. 6.8.
It was hacked somehow and somebody uses it to spam and flood from my server.
How is it possible? I have only atlassian (+nginx) and postgres on the server.
The malware is running as "confluence" user. They changed the crontab and run scripts from pastebin.com.
I agree with your diagnosis that you've been infected specifically with kerberods malware as linked in the other thread, based on the pastebin script that it pulled.
As described in the linked thread that you read, there's a two-step process needed to get this resolved:
Let me know if you have any questions about the upgrade!
Daniel | Atlassian Support
In syslog I see:
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 dbus: [system] Activating via systemd: service name='org.freedesktop.PolicyKit1' unit='polkitd.service'
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 systemd: Starting Authenticate and Authorize Users to Run Privileged Tasks...
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 polkitd: started daemon version 0.105 using authority implementation `local' version `0.105'
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 dbus: [system] Successfully activated service 'org.freedesktop.PolicyKit1'
syslog.3.gz:Apr 12 14:10:21 vm-wiki-01 systemd: Started Authenticate and Authorize Users to Run Privileged Tasks.
syslog.3.gz:Apr 12 14:10:23 vm-wiki-01 crontab: (confluence) REPLACE (confluence)
So I tried to disable polkitd.
Here’s another edition of “What’s New” this month in Confluence Cloud. Quickly (and more easily) adjust permission settings We know that sometimes the layers of space permissions and page restric...
Connect with like-minded Atlassian users at free events near you!Find an event
Connect with like-minded Atlassian users at free events near you!
Unfortunately there are no Community Events near you at the moment.Host an event
You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events