The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

/usr/bin/cpupower - suspicious files

Discussion in 'Security' started by WorkinOnIt, Oct 26, 2016.

Tags:
  1. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    94
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi

    What is the best way to verify if a file is genuine or not? On a cpanel installation, is there a method (ssh command?) to check the installation against a list of "standard" install files?

    I have CSF and recently was notified about "system integrity checking" with the file /usr/bin/cpupower - only comparing to other installations, this file does not appear to be standard - so I am not sure if it is suspicious or not.

    Is there somewhere a published list of files for cpanel / Centos installation?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    15,623
    Likes Received:
    296
    Trophy Points:
    433
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Was the alert sent out after an update? There is an rpm with the same name:

    Code:
    rpmfind.net/linux/rpm2html/search.php?query=%2Fusr%2Fbin%2Fcpupower
    
    centos.org/forums/viewtopic.php?t=57730
    
    webcache.googleusercontent.com/search?q=cache:D87syj3YqHAJ:https://rhn.redhat.com/errata/RHEA-2013-0284.html+&cd=2&hl=en&ct=clnk&gl=us
    
     
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    94
    Likes Received:
    5
    Trophy Points:
    8
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thanks - that search page is very useful for checking if a file is legitimate! The files in question certainly appear legit.

    It seems some files were installed but I'm not sure why. I haven't installed any power management tools, so it seems odd.

    Also odd that these files don't exist on other similar machines.
     
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    A few thoughts:

    You can ask yum directly what package provides a given file (whether present / installed on the system or not) with

    Code:
    yum whatprovides /usr/bin/cpupower
    You can query the RPM database for the installed file in question, this will output the installed package that owns the file

    Code:
    rpm -qf /usr/bin/cpupower 
    You can ask the rpm tool to verify with the database whether the file on your system matches what is provided in a given package

    Code:
    rpm -V packagename
    The problem with the above, is that if the system is compromised and a malicious file has been added, it's also possible the rpm database / tools have been tampered with.

    It's possible another admin installed the package, or it was pulled in as a dependency when you installed something else, take a look at the /var/log/yum.log* files to see. There is also

    Code:
    yum history package-list cpupowerutils
     
    cPanelMichael and Infopro like this.
Loading...

Share This Page