Forums

Articles
Create
cancel
Showing results for 
Search instead for 
Did you mean: 

Known Confluence vulnerability

Janet Barton
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
September 8, 2021
Although we upgraded Confluence yesterday, our Confluence on-premises application server was already compromised. I need help in identifying the known payload activities for servers compromised with this vulnerability.
For clarification, this pertains to Confluence CVE-2021-26084 exploit

2 answers

1 accepted

3 votes
Answer accepted
Robert Wen_Cprime_
Community Champion
September 8, 2021

You can see others' tales of woe in this question: https://community.atlassian.com/t5/Confluence-questions/No-access-to-Conlfuence-Webpage-100-CPU-usage-from-quot-dbused/qaq-p/1793393?utm_source=atlcomm&utm_medium=email&utm_campaign=immediate_general_answer&utm_content=topic

Steps included:

- Shut down confluence
- Apply Bugfix patch
- removed all cronjobs, located in /var/spool/cron/crontabs and /var/spool/cron/atjobs
- removed suspicious files in /tmp 
- killed dbused process, via kill -9 [pid]
- Start confluence

0 votes
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
September 16, 2021

Hi @Janet Barton

for the specific question to the payload it is hard to pinpoint it - because there could be different kinds of malware out in the wild. However, what was reported up to now was that is was some kind of crypto miner with lateral movement capabilities.

Reading what the malware is capable of there are signs it tends to "come back" (leaving some backdoors). The specific 'miner' is also reported to make connections to other systems via SSH connections - in case there is ANY sign of hack it might be needed to check connected systems, too.

If you are confident there are signs of a compromise it could be absolutely beneficial to reinstall the server and just to bring back a clean confluence installation + their attachments (alongside with configuration) back - just to prove you get a system again that you can trust.

Regards,
Daniel

Suggest an answer

Log in or Sign up to answer
TAGS
AUG Leaders

Atlassian Community Events