Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

/usr/bin/cpupower - suspicious files

Discussion in 'Security' started by WorkinOnIt, Oct 26, 2016.

Tags:
  1. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    136
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Hi

    What is the best way to verify if a file is genuine or not? On a cpanel installation, is there a method (ssh command?) to check the installation against a list of "standard" install files?

    I have CSF and recently was notified about "system integrity checking" with the file /usr/bin/cpupower - only comparing to other installations, this file does not appear to be standard - so I am not sure if it is suspicious or not.

    Is there somewhere a published list of files for cpanel / Centos installation?
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    16,309
    Likes Received:
    393
    Trophy Points:
    583
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
    Was the alert sent out after an update? There is an rpm with the same name:

    Code:
    rpmfind.net/linux/rpm2html/search.php?query=%2Fusr%2Fbin%2Fcpupower
    
    centos.org/forums/viewtopic.php?t=57730
    
    webcache.googleusercontent.com/search?q=cache:D87syj3YqHAJ:https://rhn.redhat.com/errata/RHEA-2013-0284.html+&cd=2&hl=en&ct=clnk&gl=us
    
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. WorkinOnIt

    WorkinOnIt Well-Known Member

    Joined:
    Aug 3, 2016
    Messages:
    136
    Likes Received:
    9
    Trophy Points:
    18
    Location:
    UK
    cPanel Access Level:
    Root Administrator
    Thanks - that search page is very useful for checking if a file is legitimate! The files in question certainly appear legit.

    It seems some files were installed but I'm not sure why. I haven't installed any power management tools, so it seems odd.

    Also odd that these files don't exist on other similar machines.
     
  4. ThinIce

    ThinIce Well-Known Member

    Joined:
    Apr 27, 2006
    Messages:
    352
    Likes Received:
    7
    Trophy Points:
    168
    Location:
    Disillusioned in England
    cPanel Access Level:
    Root Administrator
    A few thoughts:

    You can ask yum directly what package provides a given file (whether present / installed on the system or not) with

    Code:
    yum whatprovides /usr/bin/cpupower
    You can query the RPM database for the installed file in question, this will output the installed package that owns the file

    Code:
    rpm -qf /usr/bin/cpupower 
    You can ask the rpm tool to verify with the database whether the file on your system matches what is provided in a given package

    Code:
    rpm -V packagename
    The problem with the above, is that if the system is compromised and a malicious file has been added, it's also possible the rpm database / tools have been tampered with.

    It's possible another admin installed the package, or it was pulled in as a dependency when you installed something else, take a look at the /var/log/yum.log* files to see. There is also

    Code:
    yum history package-list cpupowerutils
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    cPanelMichael and Infopro like this.
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice