Hello, for a while now we've been noticing zabbix has been sshing into one of our servers and failing to login for some reason. All of the actions we have that login to that server use public key authentication and that seems to be fine so we have no idea where this rogue connection keeps coming from. We've enabled auditd logging of sshd executions on the zabbix server and the failed logins correlate with these entries:
type=EXECVE msg=audit(1396279532.143:4202762): argc=3 a0="ssh" a1="root@<server>" a2=726D202D66202F636C757374657266732F746F6F6C732F7 46D702F746573742E66696C65
a2 is always the same in this case, but we have no idea what would be generating such a second parameter. Has anyone seen this before? Any idea what would cause zabbix to do this or any way we could trace this further? Thanks.
type=EXECVE msg=audit(1396279532.143:4202762): argc=3 a0="ssh" a1="root@<server>" a2=726D202D66202F636C757374657266732F746F6F6C732F7 46D702F746573742E66696C65
a2 is always the same in this case, but we have no idea what would be generating such a second parameter. Has anyone seen this before? Any idea what would cause zabbix to do this or any way we could trace this further? Thanks.