Results 1 to 13 of 13
  1. #1
    Join Date
    Mar 2006
    Posts
    97

    /usr/bin/fakegauge?

    Is anybody aware what this file or what it is for?

    /usr/bin/fakegauge


    LFD on my cPanel CentOS 5.1 Linux box reported an md5 checksum failure on this file.

    I am not sure what it is for. I want to know if this is something I can get rid of or a sign that my server has been compromised.

    Thanks!

  2. #2
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    1,506
    I strongly believe that your server has been compromised.
    tanfwc
    Singapore Managed Colocation
    Singapore BGP Announcement

  3. #3
    Join Date
    Mar 2006
    Posts
    97
    How can you say so?
    Are you familiar with this file?

  4. #4
    Join Date
    Sep 2002
    Location
    Top Secret
    Posts
    11,687
    While relying strictly on md5sums (they change people!) to tell if a server is, or is not compromised is a bad idea, I'll say that fakeguage is not part of the standard CentOS distribution from what I've seen.

    That , coupled with the incorrect md5 some hints that you might just have an issue on your server. I wouldn't panic QUITE yet, but you need to get a professional in there looking at things.
    WHMCS Guru - WHMCS addons, management, support and more.
    WHMCS Notifications Extended - Add slack, hipchat, SMS, pushover to WHMCS !!
    Always looking for Linux, WHMCS, Support Desk work. PM for details

  5. #5
    Join Date
    Mar 2006
    Posts
    97
    Thanks linux-tech for the response and the kind of advise you have and I really agree with it and appreciate i it.

    While certainly the presence of that file concerns me, it didn't really send me to panic mode.

    That server has been hardened and is at the so-called"brickwall" level for CSF.

    I have looked around in various places (/tmp, log messages,etc) and nothing really appears suspicious even outbound connections appears to be normal.

    I will have it checked it just in case. I was just hoping that someone out there has seen this file.

  6. #6
    Join Date
    Mar 2005
    Location
    Maine, USA
    Posts
    302
    Upload the file to www.virustotal.com and see if it returns any hits for virus/malware files. No guarantee it is not or is, but worth a shot, especially if the virus scanners report a high rate of success.

  7. #7
    Join Date
    Mar 2006
    Posts
    97
    Hawk82...thanks for the recommendation.

    I uploaded it and the result was 0/32.

    The file is an ELF 32-bit LSB executable so I am not sure if those 32 scanners are designed only to analyze Windows based files.

  8. #8
    Join Date
    Dec 2004
    Location
    New York, NY
    Posts
    10,574
    A Google search for "fakeguage" returns only this thread, which is rather interesting. See if you can figure out when and how this file was originally created, as it doesn't look like it should exist.

  9. #9
    Join Date
    Apr 2004
    Location
    Singapore
    Posts
    1,506
    zynfella, I suggest you download rkhunter and rootkit to do a scan on your system. That binary is very suspicious to me.
    tanfwc
    Singapore Managed Colocation
    Singapore BGP Announcement

  10. #10
    Join Date
    Mar 2001
    Posts
    1,434
    r1soft installed on this server? It is related I believe.

    - John C.

  11. #11
    Quote Originally Posted by JohnCrowley View Post
    r1soft installed on this server? It is related I believe.

    - John C.
    I have /usr/bin/fakegauge installed on all of my servers that have R1soft installed.

  12. #12
    Join Date
    Mar 2006
    Posts
    97
    Quote Originally Posted by JohnCrowley View Post
    r1soft installed on this server? It is related I believe.

    - John C.

    Thanks JohnCrowley!

    Yes, indeed. R1Soft agent has been installed in this server recently.

    So, is it safe to assume then that this file is part of the R1Soft agent install?


    Quote Originally Posted by Curious Too View Post
    I have /usr/bin/fakegauge installed on all of my servers that have R1soft installed.
    Thank you also for the info. It feels good to know that I am not the only one.

  13. #13

    Another confirmation

    Just wanted to add another confirmation

    There's a "--list" option to the r1soft installer that shows you what's in the archive:

    $ sh ./linux-agent-32-1.46.2-rhe.run --list |grep -i fake
    -rwxr-xr-x root/root 6462 2008-04-14 00:39 ./bin/fakegauge

    Hope this helps!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •