Forums
Home Product Q&A Discussion groups Articles Ask a question Search
Learning
Events
Champions

Forums

Articles
Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Product Q&A
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Known Confluence vulnerability

Janet Barton
Janet Barton
I'm New Here
I'm New Here
Those new to the Atlassian Community have posted less than three times. Give them a warm welcome!
Get involved
September 8, 2021
Although we upgraded Confluence yesterday, our Confluence on-premises application server was already compromised. I need help in identifying the known payload activities for servers compromised with this vulnerability.
For clarification, this pertains to Confluence CVE-2021-26084 exploit
Answer
Watch
Like Pete P likes this
419 views

2 answers

1 accepted

3 votes
Answer accepted
Robert Wen_Cprime_
Robert Wen_Cprime_
Community Champion
September 8, 2021

You can see others' tales of woe in this question: https://community.atlassian.com/t5/Confluence-questions/No-access-to-Conlfuence-Webpage-100-CPU-usage-from-quot-dbused/qaq-p/1793393?utm_source=atlcomm&utm_medium=email&utm_campaign=immediate_general_answer&utm_content=topic

Steps included:

- Shut down confluence
- Apply Bugfix patch
- removed all cronjobs, located in /var/spool/cron/crontabs and /var/spool/cron/atjobs
- removed suspicious files in /tmp 
- killed dbused process, via kill -9 [pid]
- Start confluence

Reply
0 votes
Daniel Ebers
Daniel Ebers
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
September 16, 2021

Hi @Janet Barton

for the specific question to the payload it is hard to pinpoint it - because there could be different kinds of malware out in the wild. However, what was reported up to now was that is was some kind of crypto miner with lateral movement capabilities.

Reading what the malware is capable of there are signs it tends to "come back" (leaving some backdoors). The specific 'miner' is also reported to make connections to other systems via SSH connections - in case there is ANY sign of hack it might be needed to check connected systems, too.

If you are confident there are signs of a compromise it could be absolutely beneficial to reinstall the server and just to bring back a clean confluence installation + their attachments (alongside with configuration) back - just to prove you get a system again that you can trust.

Regards,
Daniel

Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events
    Community
    Forums
    FAQs Forums guidelines
    Learning
    About learning Resources
    Events
    Champions
    Copyright © 2025 Atlassian
    Privacy Policy Notice at Collection Terms Security