Our infrastructure was too long without attention. As a result, confluence was compromised. Confluence runs on w01.openindiana.everycity.co.uk, together with main site and exim/mailman.
- We know, confluence was compromised (expected date of infection – Apr 17). The malware was detected at 8th May about 21:00 UTC. It looked as one described in https://b4d.sablun.org/blog/2019-04-19-ignoring-atlassian-confluence-security-advisories/ .
The issue was a security issue in confluence – https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html .
We beleive it wasn’t a targeted attack – just some more-or-less stupid bot, aiming at confluence, mining bitcoins (this part didn’t work in illumos zone as expected) and pehaps, collecting botnet.
- This zone contains mailing list software and web server, other services were not impacted (it didn’t have access to git repos or packages).
- Malware was completely removed and affected plugins were disabled at May 9 at about 4:00 UTC.
- Update to latest confluence version took some time, as
- our confluence license has expired and I had to contact Atlassian to get new one;
- it required updating Apache and JDK.
- Update to Confluence 6.15.4 was completed at May 10 at about 08:00 UTC.
WordPress at openindiana.org was updated to 5.2.
Given that actually nobody has cared enough for this infrastructure server, we suggest the following steps.