You can see others' tales of woe in this question: https://community.atlassian.com/t5/Confluence-questions/No-access-to-Conlfuence-Webpage-100-CPU-usage-from-quot-dbused/qaq-p/1793393?utm_source=atlcomm&utm_medium=email&utm_campaign=immediate_general_answer&utm_content=topic
Steps included:
- Shut down confluence
- Apply Bugfix patch
- removed all cronjobs, located in /var/spool/cron/crontabs and /var/spool/cron/atjobs
- removed suspicious files in /tmp
- killed dbused process, via kill -9 [pid]
- Start confluence
for the specific question to the payload it is hard to pinpoint it - because there could be different kinds of malware out in the wild. However, what was reported up to now was that is was some kind of crypto miner with lateral movement capabilities.
Reading what the malware is capable of there are signs it tends to "come back" (leaving some backdoors). The specific 'miner' is also reported to make connections to other systems via SSH connections - in case there is ANY sign of hack it might be needed to check connected systems, too.
If you are confident there are signs of a compromise it could be absolutely beneficial to reinstall the server and just to bring back a clean confluence installation + their attachments (alongside with configuration) back - just to prove you get a system again that you can trust.
Regards,
Daniel
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.