What is the EGG environment variable?

Posted by Randall on Server Fault See other posts from Server Fault or by Randall
Published on 2011-02-17T22:26:29Z Indexed on 2011/02/17 23:27 UTC
Read the original article Hit count: 337

Filed under:
|
|
|

A user on our (openSuSE) linux systems attempted to run sudo, and triggered an alert. He has the environment variable EGG set -

EGG=UH211åH1ÒH»ÿ/bin/shHÁSH211çH1ÀPWH211æ°;^O^Ej^A_j<X^O^EÉÃÿ

This looks unusual to say the least.

Is EGG a legitimate environment variable? (I've found some references to PYTHON_EGG_CACHE - could be related? But that environment variable isn't set for this user). If it's legit, then I imagine this group has the best chance of recognizing it.

Or, given the embedded /bin/sh in the string above, does anyone recognize this as an exploit fingerprint? It wouldn't be the first time we had a cracked account (sigh).

© Server Fault or respective owner

Related posts about linux

Related posts about security