Altered RPM Notice - cpanel-roundcubemail

[MH-Stefan]

Since about 2 weeks, we're getting the following notification from all servers on a daily basis:

[check_cpanel_rpms] There are altered RPMs
The system detected problems with the following cPanel-provided files that the RPM controls:

RPM Status Additional Information
cpanel-roundcubemail,1.1.4,8.cp1158-/usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html Broken S.5....T.

If you did not make these changes intentionally, execute the following command as the root user to correct them:
/usr/local/cpanel/scripts/check_cpanel_rpms --fix

This notice is the result of a request from “rpmcheck”.

Running the "check_cpanel_rpms --fix" command fixes the RPMs, but the next day the RPM breaks again.

This happens on old servers, as well as on freshly deployed servers. All servers run the latest cPanel version, currently 60.0 (build 25).

Is this a known bug? Is there any permanent fix for this available?

Thank you in advance.

 

[cPanelMichael]

Hello,

The cPanel RPM check script detects changes to files included as part of the Roundcube package. Do you have any third-party plugins or cron jobs that are automatically modifying the "/usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html" file on the system?

Thank you.

 

[MH-Stefan]

Hello,

Thanks for the reply.

We have some WHM plugins installed, but none related to Webmail and nothing that would modify that specific file. At least not on purpose.

This even happened on a server that has only the ConfigServer plugins installed. I doubt that these would touch that file.

 

[cPanelMichael]

Hello,

Are you using the Attracta plugin? I've seen an additional report about this plugin making the change to the same file. You may want to report this issue to their support team to ensure it's corrected.

Thank you.

 

[4u123]

I'm having this same problem - just started a few days ago after the recent cpanel update to 62.0.10. Why would Attracta make changes to Roundcube I wonder? That's pretty suspicious. Did you contact Attracta MH-Stefan?

 

[cPanelMichael]

Hello @4u123,

Audit logs on systems with Attracta installed do suggest Attracta is making changes to the /usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html file. I haven't seen an indication their support team has been contacted about this topic by anyone on this thread, so you may want to submit a request to them if you are using Attracta and notice this issue:

Knowledge base | Attracta

Thank you.

 

[MH-Stefan]

I've reported this bug on Monday and got the following response:

Stefan thanks for reporting this to us! It is indeed a bug in the Attracta plugin that you have found, thanks so much for sending it over. Since the Attracta plugin has a wide installed base of servers, we have a lot of partners that request that we use our plugin to push out little customizations for them. Based on the file you've listed, it looks like your server is getting caught up in a request by a partner to add an analytics pixel to Roundcube. I'm not entirely sure why this is happening for you, but it's possible that your server's IP range is for some reason matching the partner that requested that change, or similar.

I'll get with our team to get a patched version that fixes that once and for all for you, but in the interim you can remove the changes (it's simply 2 lines, one comment and one javascript that does harmless analytics) with something like this:
sed -i '/username/d;/Attracta/d' /usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html

That should clear the warning from cPanel.

Again very sorry for the mix-up; if you'd rather just uninstall the Attracta plugin that is fine too, just run:

/usr/local/cpanel/3rdparty/attracta/scripts/uninstall-attracta

Thanks again and let me know if you see anything else out of the ordinary! - Jason @ Attracta

 

[MDHMatt]

Have you heard anything more from them like when they will be bringing out a patched update?

And does it return if you remove those lines manually?

 

[MH-Stefan]

Have you heard anything more from them like when they will be bringing out a patched update?

And does it return if you remove those lines manually?

I didn't get any further reply. I simply decided to uninstall the plugin from all our servers, as I'm not aware of any of our clients using it.

You could email their support team and see if the plugin was updated. Maybe if they get more reports, they'll set a higher priority for this bug.