Skip to main content

/usr/bin/cpupower - suspicious files

WorkinOnIt
Hi What is the best way to verify if a file is genuine or not? On a cpanel installation, is there a method (ssh command?) to check the installation against a list of "standard" install files? I have CSF and recently was notified about "system integrity checking" with the file /usr/bin/cpupower - only comparing to other installations, this file does not appear to be standard - so I am not sure if it is suspicious or not. Is there somewhere a published list of files for cpanel / Centos installation?

Comments

3 comments

Date Votes
  • Infopro
    I have CSF and recently was notified

    Was the alert sent out after an update? There is an rpm with the same name:
    rpmfind.net/linux/rpm2html/search.php?query=%2Fusr%2Fbin%2Fcpupower centos.org/forums/viewtopic.php?t=57730 webcache.googleusercontent.com/search?q=cache:D87syj3YqHAJ:https://rhn.redhat.com/errata/RHEA-2013-0284.html+&cd=2&hl=en&ct=clnk&gl=us
    The cpupowerutils packages provide a suite of tools to manage power states on appropriately enabled central processing units (CPU).
    0
  • WorkinOnIt
    Thanks - that search page is very useful for checking if a file is legitimate! The files in question certainly appear legit. It seems some files were installed but I'm not sure why. I haven't installed any power management tools, so it seems odd. Also odd that these files don't exist on other similar machines.
    0
  • ThinIce
    Is there somewhere a published list of files for cpanel / Centos installation?

    A few thoughts: You can ask yum directly what package provides a given file (whether present / installed on the system or not) with
    yum whatprovides /usr/bin/cpupower
    You can query the RPM database for the installed file in question, this will output the installed package that owns the file
    rpm -qf /usr/bin/cpupower
    You can ask the rpm tool to verify with the database whether the file on your system matches what is provided in a given package
    rpm -V packagename
    The problem with the above, is that if the system is compromised and a malicious file has been added, it's also possible the rpm database / tools have been tampered with. It's possible another admin installed the package, or it was pulled in as a dependency when you installed something else, take a look at the /var/log/yum.log* files to see. There is also
    yum history package-list cpupowerutils
    0

Please sign in to leave a comment.

Didn't find what you were looking for?

New post