Portal Home > Knowledgebase > Articles Database > Malicious Script or Not? Oxygen.o2?
Malicious Script or Not? Oxygen.o2?
Posted by CloudStats, 04-29-2011, 05:54 AM |
Hello guys,
Does anybody know a script called "Oxygen.o2" or something like this. We recently found this on one of our client VPS's and don't know what it does.
/vz/root/145/home/lib/oxygen_kessel5
/vz/root/145/home/lib/oxygen_kessel5/bin
/vz/root/145/home/lib/oxygen_kessel5/conf
/vz/root/145/home/lib/oxygen_kessel5/data
/vz/root/145/home/lib/oxygen_kessel5/www
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_base.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_bb.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_bl.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_cfg.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_ch.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_ctl.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_dbi.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_dm.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_feeds.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_hp.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_ipc.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_jr.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_log.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_rs.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_sockets.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_version.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_wd.pyo
/vz/root/145/home/lib/oxygen_kessel5/bin/oxygen_zip.pyo
/vz/root/145/home/lib/oxygen_kessel5/conf/BlackList.o2
/vz/root/145/home/lib/oxygen_kessel5/conf/BlackList.o2.lock
/vz/root/145/home/lib/oxygen_kessel5/conf/DomainConfig.o2
/vz/root/145/home/lib/oxygen_kessel5/conf/DomainConfig.o2.lock
/vz/root/145/home/lib/oxygen_kessel5/conf/IpConfig.o2
/vz/root/145/home/lib/oxygen_kessel5/conf/Ipconfig.o2
/vz/root/145/home/lib/oxygen_kessel5/conf/Ipconfig.o2.lock
/vz/root/145/home/lib/oxygen_kessel5/conf/LinkConfig.o2
/vz/root/145/home/lib/oxygen_kessel5/conf/LinkConfig.o2.lock
/vz/root/145/home/lib/oxygen_kessel5/conf/magic_dict.txt
/vz/root/145/home/lib/oxygen_kessel5/conf/names_dict.txt
/vz/root/145/home/lib/oxygen_kessel5/conf/oxygen_hp.o2s
/vz/root/145/home/lib/oxygen_kessel5/conf/oxygenr.conf
/vz/root/145/home/lib/oxygen_kessel5/conf/oxygenr.crt
/vz/root/145/home/lib/oxygen_kessel5/conf/oxygenr.key
/vz/root/145/home/lib/oxygen_kessel5/data/drop_cache
Has anybody seen it?
Thanks,
Andrew.
|
Posted by justroll-b, 04-30-2011, 04:45 PM |
have you tried doing a strace/truss on the process that is running on your server ?
|
Posted by @Matt, 04-30-2011, 04:51 PM |
I don't think its malicious and looks like this might give some info on it.
http://download.cnet.com/Oxygen-O2/3...-10186139.html
To my knowledge this can be installed on Linux...
|
Posted by CloudStats, 05-02-2011, 08:08 AM |
thanks for hints on this, guys, will check those out...
just two files are particularly worrying us:
/vz/root/145/home/lib/oxygen_kessel5/conf/magic_dict.txt
/vz/root/145/home/lib/oxygen_kessel5/conf/names_dict.txt
they contain dictionary-like usernames and passwords...
|
Add to Favourites Print this Article
Also Read