Altered RPM Notice - cpanel-roundcubemail

MH-Stefan · Nov 22, 2016

Since about 2 weeks, we're getting the following notification from all servers on a daily basis:

[check_cpanel_rpms] There are altered RPMs
The system detected problems with the following cPanel-provided files that the RPM controls:

RPM Status Additional Information
cpanel-roundcubemail,1.1.4,8.cp1158-/usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html Broken S.5....T.

If you did not make these changes intentionally, execute the following command as the root user to correct them:
/usr/local/cpanel/scripts/check_cpanel_rpms --fix

This notice is the result of a request from “rpmcheck”.
Click to expand...

Running the "check_cpanel_rpms --fix" command fixes the RPMs, but the next day the RPM breaks again.

This happens on old servers, as well as on freshly deployed servers. All servers run the latest cPanel version, currently 60.0 (build 25).

Is this a known bug? Is there any permanent fix for this available?

Thank you in advance.

cPanelMichael · Nov 23, 2016

Hello,

The cPanel RPM check script detects changes to files included as part of the Roundcube package. Do you have any third-party plugins or cron jobs that are automatically modifying the "/usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html" file on the system?

Thank you.

MH-Stefan · Nov 23, 2016

Hello,

Thanks for the reply.

We have some WHM plugins installed, but none related to Webmail and nothing that would modify that specific file. At least not on purpose.

This even happened on a server that has only the ConfigServer plugins installed. I doubt that these would touch that file.

cPanelMichael · Nov 29, 2016

Hello,

Are you using the Attracta plugin? I've seen an additional report about this plugin making the change to the same file. You may want to report this issue to their support team to ensure it's corrected.

Thank you.

4u123 · Feb 15, 2017

I'm having this same problem - just started a few days ago after the recent cpanel update to 62.0.10. Why would Attracta make changes to Roundcube I wonder? That's pretty suspicious. Did you contact Attracta MH-Stefan?

cPanelMichael · Feb 15, 2017

Hello @4u123,

Audit logs on systems with Attracta installed do suggest Attracta is making changes to the /usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html file. I haven't seen an indication their support team has been contacted about this topic by anyone on this thread, so you may want to submit a request to them if you are using Attracta and notice this issue:

Knowledge base | Attracta

Thank you.

MH-Stefan · Feb 18, 2017

I've reported this bug on Monday and got the following response:

Stefan thanks for reporting this to us! It is indeed a bug in the Attracta plugin that you have found, thanks so much for sending it over. Since the Attracta plugin has a wide installed base of servers, we have a lot of partners that request that we use our plugin to push out little customizations for them. Based on the file you've listed, it looks like your server is getting caught up in a request by a partner to add an analytics pixel to Roundcube. I'm not entirely sure why this is happening for you, but it's possible that your server's IP range is for some reason matching the partner that requested that change, or similar.

I'll get with our team to get a patched version that fixes that once and for all for you, but in the interim you can remove the changes (it's simply 2 lines, one comment and one javascript that does harmless analytics) with something like this:
sed -i '/username/d;/Attracta/d' /usr/local/cpanel/base/3rdparty/roundcube/skins/larry/includes/footer.html

That should clear the warning from cPanel.

Again very sorry for the mix-up; if you'd rather just uninstall the Attracta plugin that is fine too, just run:

/usr/local/cpanel/3rdparty/attracta/scripts/uninstall-attracta

Thanks again and let me know if you see anything else out of the ordinary! - Jason @ Attracta
Click to expand...

MDHMatt · Mar 7, 2017

Have you heard anything more from them like when they will be bringing out a patched update?

And does it return if you remove those lines manually?

MH-Stefan · Mar 7, 2017

MDHMatt said: ↑

Have you heard anything more from them like when they will be bringing out a patched update?

And does it return if you remove those lines manually?
Click to expand...

I didn't get any further reply. I simply decided to uninstall the plugin from all our servers, as I'm not aware of any of our clients using it.

You could email their support team and see if the plugin was updated. Maybe if they get more reports, they'll set a higher priority for this bug.

Forums

The Community Forums

Interact with an entire community of cPanel & WHM users!

Altered RPM Notice - cpanel-roundcubemail

MH-Stefan Member

cPanelMichael Forums Analyst
Staff Member

MH-Stefan Member

cPanelMichael Forums Analyst
Staff Member

4u123 Well-Known Member
PartnerNOC

cPanelMichael Forums Analyst
Staff Member

MH-Stefan Member

MDHMatt Registered

MH-Stefan Member

Altered RPMs notice from cPanel servers after CVE patch

Altered RPMs found - easy-basesystem

[check_cpanel_rpms] Altered RPMs found on

Get Altered RPMs found warning after patch CVE-2016-3714 ImageMagick

LFD Notice of Suspicious Process

Share This Page

Useful Searches

The Community Forums

Interact with an entire community of cPanel & WHM users!

Altered RPM Notice - cpanel-roundcubemail

MH-Stefan Member

cPanelMichael Forums Analyst Staff Member

MH-Stefan Member

cPanelMichael Forums Analyst Staff Member

4u123 Well-Known Member PartnerNOC

cPanelMichael Forums Analyst Staff Member

MH-Stefan Member

MDHMatt Registered

MH-Stefan Member

Altered RPMs notice from cPanel servers after CVE patch

Altered RPMs found - easy-basesystem

[check_cpanel_rpms] Altered RPMs found on

Get Altered RPMs found warning after patch CVE-2016-3714 ImageMagick

LFD Notice of Suspicious Process

Share This Page

cPanelMichael Forums Analyst
Staff Member

cPanelMichael Forums Analyst
Staff Member

4u123 Well-Known Member
PartnerNOC

cPanelMichael Forums Analyst
Staff Member