What is the EGG environment variable?
Posted
by
Randall
on Server Fault
See other posts from Server Fault
or by Randall
Published on 2011-02-17T22:26:29Z
Indexed on
2011/02/17
23:27 UTC
Read the original article
Hit count: 337
A user on our (openSuSE) linux systems attempted to run sudo, and triggered an alert. He has the environment variable EGG set -
EGG=UH211åH1ÒH»ÿ/bin/shHÁSH211çH1ÀPWH211æ°;^O^Ej^A_j<X^O^EÉÃÿ
This looks unusual to say the least.
Is EGG a legitimate environment variable? (I've found some references to PYTHON_EGG_CACHE - could be related? But that environment variable isn't set for this user). If it's legit, then I imagine this group has the best chance of recognizing it.
Or, given the embedded /bin/sh
in the string above, does anyone recognize this as an exploit fingerprint? It wouldn't be the first time we had a cracked account (sigh).
© Server Fault or respective owner