...
At this point, the server is a crime scene. An attacker is running arbitrary commands as the confluence
user, meaning they are able to access everything in Confluence, regardless of permissions. Think through what your Confluence instance contains. Passwords to external systems? Confidential data about your business? Confidential information about clients? The implications of a breach depend on what confidential is stored, and the laws of your country. In Australia, you may have legal obligations under the Notifiable Data Breaches scheme, and may want to report the intrusion at https://www.cyber.gov.au/report
The point being, a hacked server represents a problem way beyond your pay grade as a humble system administrator. The response must be at multiple levels:
...
Now everything you see, even ephemeral information like top
output output, is logged.
Log network activity
...
Oops. The Confluence system was, indeed, out of date, and vulnerable to the 2019-03-20 security vulnerability.
For reference, the kerberods
binary I found had signatures:
sha1 | 9a6ae3e9bca3e5c24961abf337bc839048d094ed |
md5 | b39d9cbe6c63d7a621469bf13f3ea466 |
Application-level vulnerabilities
...