Down for maintenence, administrators see /opt/zimbra/status.txt

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Bhelf
Posts: 3
Joined: Sun Mar 26, 2023 8:37 pm

Down for maintenence, administrators see /opt/zimbra/status.txt

Post by Bhelf »

Hello,

When attempting to access the web client I am getting the following message:

"Down for maintenence, administrators see /opt/zimbra/status.txt"

Mail is currently working for all domains via SMTP / IMAP and all domain are set to active (Checked with zmprov gd domain | grep -i zimbraDomainStatus) furthermore there is no file mentioned int he message at /opt/zimbra/status.txt
Has anybody else experienced this? Doing a search has yielded zero results.

Thank you for any feedback

Edit: We are using version 8.8.10
User avatar
barrydegraaff
Zimbra Employee
Zimbra Employee
Posts: 242
Joined: Tue Jun 17, 2014 3:31 am
Contact:

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by barrydegraaff »

Yes I think your server is hacked, as this is not something Zimbra would do out of the box. In addition you are on a very old unsupported version of Zimbra that has not received many important security updates.
--
Barry de Graaff
Email: barry.degraaff [at] synacor [dot] com
Admin of Zimbra-Community Github: https://github.com/orgs/Zimbra-Community/ and the
Zimlet Gallery https://gallery.zetalliance.org/extend/
User avatar
8RydeR
Posts: 14
Joined: Fri Feb 13, 2015 10:02 am
Location: Napoli, Italy
ZCS/ZD Version: installer of zimbra
Contact:

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by 8RydeR »

one more here with the same problem

release 8.8.11 P4
Eduardo20cm
Posts: 1
Joined: Thu Mar 30, 2023 10:27 pm

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by Eduardo20cm »

Hi, I'm having the same problem. Does anyone know how to resolve?

8.8.12_GA
muslera
Posts: 1
Joined: Fri Mar 31, 2023 10:43 am

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by muslera »

Same problem
Release 9.0.0_ZEXTRAS_20220713.RHEL7_64_20220705100521 RHEL7_64 FOSS edition.
User avatar
8RydeR
Posts: 14
Joined: Fri Feb 13, 2015 10:02 am
Location: Napoli, Italy
ZCS/ZD Version: installer of zimbra
Contact:

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by 8RydeR »

we recovered from a backup and updated to 8.8.15_P38
zgokan
Advanced member
Advanced member
Posts: 171
Joined: Sun Apr 17, 2016 8:58 am

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by zgokan »

I have the same situation. Emails are also corrupt. I fixed the login but the emails are corrupt.
User avatar
thomas.klaube
Advanced member
Advanced member
Posts: 60
Joined: Sat Nov 30, 2013 5:17 am
Location: Stuttgart
ZCS/ZD Version: 8.8.15P33
Contact:

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by thomas.klaube »

Hi all,

this is a very severe thing! The attacker is encrypting all the files in the filesystem. Does anybody know, by which exploit this happens? We have a customer with a rather new Zimbra version
(8.8.15 P33) and this system was compromised...

P33 fixes _all_ the major bugs and exploits. So this could be a zero day exploit nobody has heard about up until now. This would mean every Zimbra server out there is at risk.

Regards
Thomas
User avatar
8RydeR
Posts: 14
Joined: Fri Feb 13, 2015 10:02 am
Location: Napoli, Italy
ZCS/ZD Version: installer of zimbra
Contact:

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by 8RydeR »

Code: Select all

[root@zimbraserver ~]# cd /opt/zimbra/
[root@zimbraserver zimbra]# ls
backup  common  config.11943  contrib  db    extensions-extra  index  jetty_base  libexec  logger    postfix  ssl    zimlets           zmstat
bin     conf    config.19732  data     docs  fbqueue           jetty  lib         log      mailboxd  redolog  store  zimlets-deployed
[root@zimbraserver zimbra]# cd store/
[root@zimbraserver store]# ls
0  incoming  README.txt
[root@zimbraserver store]# cat README.txt
Your files have been encrypted with AES military-grade encryption. Our data
recovery and security specialists can help you decrypt your files and secure
your server from hackers. Contact us and we'll provide a decrypter that will
safely and quickly restore your files. Any other attempts to recover your files
will be a waste of your time and money, and risk permanent data loss.  Your
files have been securely encrypted with AES, and the only way to decrypt is by
sending us the contents of the \"BEGIN AGE ENCRYPTED FILE\" block below, which
we can use to create a decrypter for you.

Unlike traditional ransomware groups, we're not asking you to send us money. We
just dislike corporations and economic inequality. We simply ask that you make a
donation to a non-profit that we approve of. It's a win-win, you can probably
get a tax deduction and good PR from your donation if you want.

Our email contact is somos.malas.podemos.ser.peores@protonmail.com
If you don't receive a reply within 24 hours, check your spam folder.

If you still haven't received a reply, use Tor Browser (https://www.torproject.org/download/) to visit:
http://blablabla.onion
there will be posted our current contact information


-----BEGIN AGE ENCRYPTED FILE-----
blablabla
-----END AGE ENCRYPTED FILE-----
[root@zimbraserver store]#
And doing a cat of a message in the store folders, i get an encrypted contents, so, I think that it's really encrypted.
User avatar
thomas.klaube
Advanced member
Advanced member
Posts: 60
Joined: Sat Nov 30, 2013 5:17 am
Location: Stuttgart
ZCS/ZD Version: 8.8.15P33
Contact:

Re: Down for maintenence, administrators see /opt/zimbra/status.txt

Post by thomas.klaube »

Hi all,

some more info:
the attacker is encrypting all files on the zimbra server that are writable by user 'zimbra'. At least Zimbra 8.8.15 P33 is vulnerable. It is possible, that this happens through the cpio expoit which was fixed in 8.8.15 P34 (or by manually installing pax on the server). The server running 8.8.15 P33 which was hacked did not have the pax binary installed - so it could be, that the attacker gained access to the machine by sending a special mail with a prepared attachment to the server which was then extracted by cpio. But I could'nt find any proof in the logs.

It would be very important to know, if the other hacked server did have the "pax" binary installed - you could verify by running 'which pax' on the server...

Regards
Thomas
Post Reply