I noticed the following process running under the zabbix user on our Zabbix 2.4.5 server (exposed to the internet):

python -c import pty ; pty.spawn("/bin/bash");

Is there any not yet disclosed remote code execution vulnerability in Zabbix Server?

We still do not have any indication idea, what started this process.

• Find attached the output of `lsof`. Most interesting:
  TCP srv148.typo3.org:47501->115.29.145.27:9999
  So it seems this is a backconnect script, which opens a TCP connection from our server to a Chinese IP.

• I did not find any python files on the server.

• I checked all access logs of the last 2 weeks. The only requests that made me nervous in the beginning are coming from GoogleBot and doing POSTS to jsrpc.php, but the IPs are indeed from Google. So no indication that it came through the web interface

• We use active checks. Zabbix server's port 10051 is exposed to the internet. Besides the web interface, this might be the other likely entry door.

• Syslogs did not show anything interesting

Any further suggestions, how to find out, what happened? Anybody with the same problem?

I don't want to cause panic, but I was told by [email protected] to report it here publicly. Zabbix server (together with Apache) is the only service running on that VM.