A user on our (openSuSE) linux systems attempted to run sudo, and triggered an alert. He has the environment variable EGG set -
EGG=UH211åH1ÒH»ÿ/bin/shHÁSH211çH1ÀPWH211æ°;^O^Ej^A_j<X^O^EÉÃÿ
This looks unusual to say the least.
Is EGG a legitimate environment variable? (I've found some references to PYTHON_EGG_CACHE - could be related? But that environment variable isn't set for this user). If it's legit, then I imagine this group has the best chance of recognizing it.
Or, given the embedded /bin/sh
in the string above, does anyone recognize this as an exploit fingerprint? It wouldn't be the first time we had a cracked account (sigh).
In some cases of exploits, the payload which causes the exploit to execute might have to be very small. In these cases, a common technique is to have a small bootstrap payload which can load a payload delivered differently (this larger payload need not trigger the exploit).
In case of sudo etc, the user has control of the environment. So the user can potentially deliver larger payload using the environment, and have the relevant payload small enough, which can then search/load the actual.
Some typical bootstrap payloads search for a particular environment variable (like an easter EGG HUNT) to load and so would be named EGGS.
See here for instance: http://www.hick.org/code/skape/papers/egghunt-shellcode.pdf
In this case, looks like you have found yourself a script kiddie