Hi Denis,

Given the timeframe you mentioned, what you've described is an active exploit that attacks the CVE-2019-3396 Widget Connector vulnerability from March 20th (see Confluence Security Advisory - 2019-03-20).

The first step in fixing this is upgrading to a Confluence version that is not affected by the vulnerability. The latest releases are:

• 6.6.13 (6.6 is an Enterprise release)
• 6.12.4
• 6.13.4 (6.13 is an Enterprise release)
• 6.14.3
• 6.15.2

Secondly, the LSD malware cleanup tool will be useful for removing the Kerberods malware. I would recommend executing cleanup after upgrading Confluence to a patched version so there's no possibility of re-infection while you work on the upgrade.

Please let me know if you have more questions!
Daniel | Atlassian Support

Hi @Denis ,

Perhaps you should consider reviewing if any of Confluence internal process is causing this increase on CPU load by Generating a thread dump. There is a script you could use to generate a set of thread dumps along with CPU usage, so you could review which thread is consuming the most of CPU.

Open up the CPU files created, get the highest CPU usages and convert them into HEX https://www.binaryhexconverter.com/decimal-to-hex-converter so you can review its representation in THREADs.

The script creates 1 CPU for 1 THREAD, so you should be comparing the timestamps in the files generated. In this way, when converting PID to HEX, you will be comparing information from a THREAD that relates to CPU taken at the same moment.

In case you are unfamiliar with this troubleshooting process, perhaps you should consider getting in touch with Atlassian Support, so they can provide you with assistance on this issue by gathering more information about your system and instance through Confluence Support Zip and others.

Hope the above helps.

Kind regards,
Rafael