OpenIndiana Confluence security incident

Our infrastructure was too long without attention. As a result, confluence was compromised. Confluence runs on w01.openindiana.everycity.co.uk, together with main site and exim/mailman.

  1. We know, confluence was compromised (expected date of infection – Apr 17). The malware was detected at 8th May about 21:00 UTC. It looked as one described in https://b4d.sablun.org/blog/2019-04-19-ignoring-atlassian-confluence-security-advisories/ .
    The issue was a security issue in confluence – https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html .
    We beleive it wasn’t a targeted attack – just some more-or-less stupid bot, aiming at confluence, mining bitcoins (this part didn’t work in illumos zone as expected) and pehaps, collecting botnet.
  2. This zone contains mailing list software and web server, other services were not impacted (it didn’t have access to git repos or packages).

Resolution steps.

  1. Malware was completely removed and affected plugins were disabled at May 9 at about 4:00 UTC.
  2. Update to latest confluence version took some time, as
    • our confluence license has expired and I had to contact Atlassian to get new one;
    • it required updating Apache and JDK.
  3. Update to Confluence 6.15.4 was completed at May 10 at about 08:00 UTC.

WordPress at openindiana.org was updated to 5.2.

Further steps.

Given that actually nobody has cared enough for this infrastructure server, we suggest the following steps.

  1. Moving all valuable information from wiki to https://docs.openindiana.org and http://github.com/OpenIndiana/oi-userland/ docs directory.
  2. Preserve wiki for now just for development purposes.
  3. Completely decommission wiki once migration to oi-docs is finished.