Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

advice after anonymous access allowed rampant page and draft creation

Andy Holt
Andy Holt
Contributor
June 19, 2024

We have discovered a Confluence space that accidentally had the EDITSPACE permission allowed for anonymous users.  Doh.

Spammers found this and added >2000 pages.  This isn't so bad.

However, web crawlers did web crawler things, and hit the Create Page button approximately 750k times, mostly with URLs like this:

https://confluence.example.com:443/pages/createpage.action?fromPageId=240222349&spaceKey=EXT

We can see some of these pages, by using the ID in the URL, and they show with title $helper.page.title.

 

The overall size of our database (AWS RDS Aurora PostgreSQL) went from ~20 GB to ~110 GB due to this.

In particular, the confancestors table was previously around 87 MB and is now 84 GB (1000x times increase).  That table now has 777 million rows (was about 700k rows).

The space only had a few pages before this started, so I am happy to move those, and then blow away the space entirely.  However, on a test clone of our production system, I have initiated an entire space removal, which gets stuck at 2% with an ever-increasing 'Time Remaining'.  While this runs, the size of the confancestors table again grows rapidly (added another 30 GB when left running for 1 day), although the row count does not change.

Any advice on a better recovery / removal strategy ?

Answer
Watch
Like # people like this
478 views

3 answers

2 votes
Kristian Klima
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 19, 2024

Hi @Andy Holt and sorry for liking your post. OMG....

Seriously, though.

To save your pages, you can use the customize option in space export menu - export just your pages as an XML file, and once you delete the space, reimport it back.

If space deletion doesn't work, you can try to delete the root page with the 'delete child pages option'. 

 

Then you can try using Confluence API and script your way out or you can try a marketplace app:

I found these resources...

Back in day, after a huge migration of thousands of docs to a Confluence Server environment, the team I work with ran a cleanup and I'm pretty sure they did not do that manually (we're talking hundreds if not thousands of spaces).


EDIT: On Cloud, those drafts end up in 'undefined' section of the space settings (next to Archive, Trash...) I've not worked with server for over 2 years now but again, this might be a clue...

Reply
1 vote
Andy Holt
Andy Holt
Contributor
June 28, 2024

Atlassian support have been very helpful (thank you Shekhar!).

Mostly, this has involved using resolution 2 from this KB article.  It's basically, stop Confluence, run a bunch of SQL queries to manually remove the space, clear out the node's index files, restart Confluence, let it automatically rebuild the index (I did not know it did this!) and lastly trigger the scheduled job to repair (rebuild in this case) the confancestors table.

Result, a much smaller, quicker, happier Confluence service.  But that's been two weeks' work for me! :)

View More Comments
Kristian Klima
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 28, 2024

YAY! Glad to hear that @Andy Holt .

Maybe it's time to look for a solution that will allow you to make your content public without opening your Confluence spaces to anonymous access :) 

Like
Andy Holt
Andy Holt
Contributor
June 28, 2024

Anon read was always the intent in this space, just not anon edit! :-)

Like
Kristian Klima
Kristian Klima
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 28, 2024

The road to hell hell is paved with good permissions intentions :) 

Humans see (a setting), humans do (play with the setting).

Stay safe!

 

Like
Reply
1 vote
Nicolas Grossi
Nicolas Grossi
Banned
June 19, 2024

@Andy Holt You can't recover a backup "before the attack" and change the edit permission on that space and put it back online ?

 

Nicolas

View More Comments
Andy Holt
Andy Holt
Contributor
June 19, 2024

Would be nice - but it was in Sept 2023. Doh (again).

Like
Darryl Lee
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 20, 2024

Wait... wait. You have AWS RDS Aurora PostgreSQL.

Did you explicitly disable automated backups/snapshots? :-{

Oh wait... that's not possible. But I guess you could've reduced retention period to 1 day.

Their docs say:

  • You can't disable automated backups on Aurora. The backup retention period for Aurora is managed by the DB cluster.

 

Like Dave Liao likes this
Andy Holt
Andy Holt
Contributor
June 21, 2024

No, I haven't disabled automated backups.  It's true that we don't have them going back that far, but what I meant was, there's no way we would wind back our Confluence that far (even if we had backups that old), and lose all the work between Sept 2023 and now across all spaces.

Thanks for reading my tale of woe though. :-)  I'm now getting help from Atlassian support with removing the space anyway.

Like # people like this
Darryl Lee
Darryl Lee
Community Leader
Community Leader
Community Leaders are connectors, ambassadors, and mentors. On the online community, they serve as thought leaders, product experts, and moderators.
Become a leader
June 21, 2024

Ohhhh, the incident occurred in Sept 2023 and you didn't notice the additional disk usage until now? Ouch.

I understand the problem now, and am glad to hear Atlassian is helping out.

Like # people like this
Andy Holt
Andy Holt
Contributor
June 25, 2024

Interesting point.  Our disk monitoring has (so far!) focussed on things liable to run out of space.  Aurora DBs can grow without hitting a limit, so, well, yeah ...  We will be monitoring for unexpected growth from now on.  ;-)

Like
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
DEPLOYMENT TYPE
SERVER
VERSION
8.5.5
TAGS
AUG Leaders

Atlassian Community Events

    See all events