Altered RPMs Email Today

GoWilkes

Well-Known Member
Sep 26, 2006
670
31
178
cPanel Access Level
Root Administrator
I had literally just reinstalled an SSL cert when I got this email:

Code:
The system detected problems with the following cPanel-provided files that the RPM controls:

RPM Status Additional Information
MySQL55-client,5.5.48,1.cp1148-/usr/bin/mysql Broken S.?......
There are dozens of those lines. I didn't want to paste them if they were unnecessary, but I can upon request.

In an earlier thread, someone had a similar problem and cPanelMichael asked to post the results from rpm -qa|grep MySQL, so...

Code:
# rpm -qa|grep MySQL
compat-MySQL51-shared-5.1.73-1.cp1150.x86_64
MySQL55-shared-5.5.48-1.cp1148.x86_64
cpanel-perl-514-MySQL-Diff-0.43-4.cp1146.x86_64
MySQL55-client-5.5.48-1.cp1148.x86_64
MySQL55-devel-5.5.48-1.cp1148.x86_64
compat-MySQL50-shared-5.0.96-4.cp1136.x86_64
MySQL55-server-5.5.48-1.cp1148.x86_64
MySQL55-test-5.5.48-1.cp1148.x86_64
Should I run /usr/local/cpanel/scripts/check_cpanel_rpms --fix, or just leave it be?
 

Forcerdj

Well-Known Member
Nov 30, 2009
68
1
58
Received this email this morning..

Code:
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysql    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysql_config_editor    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysql_waitpid    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqladmin    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqlbinlog    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqlcheck    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqldump    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqlimport    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqlshow    Broken    S.?......
MySQL56-client,5.6.29,1.cp1148-/usr/bin/mysqlslap    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/innochecksum    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/my_print_defaults    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/myisam_ftdump    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/myisamchk    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/myisamlog    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/myisampack    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/mysql_plugin    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/mysql_tzinfo_to_sql    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/mysql_upgrade    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/mysqltest    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/perror    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/replace    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/resolve_stack_dump    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/bin/resolveip    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/sbin/mysqld    Broken    S.?......
MySQL56-server,5.6.29,1.cp1148-/usr/sbin/mysqld-debug    Broken    S.?......
MySQL56-test,5.6.29,1.cp1148-/usr/bin/mysql_client_test    Broken    S.?......
MySQL56-test,5.6.29,1.cp1148-/usr/bin/mysql_client_test_embedded    Broken    S.?......
MySQL56-test,5.6.29,1.cp1148-/usr/bin/mysqltest_embedded    Broken    S.?......
cpanel-userperl,1.0,1.cp1136-/usr/bin/perlml    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/bin/doveadm    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/bin/doveconf    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/lib64/dovecot/libdovecot-lda.so.0.0.0    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/lib64/dovecot/libdovecot-login.so.0.0.0    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/lib64/dovecot/libdovecot-storage.so.0.0.0    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/lib64/dovecot/libdovecot.so.0.0.0    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/aggregator    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/anvil    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/auth    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/checkpassword-reply    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/config    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/dict    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/director    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/dns-client    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/doveadm-server    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/dovecot-lda    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/gdbhelper    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-hibernate    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-login    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-urlauth    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-urlauth-login    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-urlauth-worker    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/indexer    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/indexer-worker    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/ipc    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/lmtp    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/log    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/maildirlock    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/pop3    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/pop3-login    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/quota-status    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/rawlog    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/replicator    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/script    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/script-login    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/ssl-params    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/stats    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/xml2text    Broken    S.?......
dovecot,2.2.21,1.cp1154-/usr/sbin/dovecot    Broken    S.?......
exim,4.86,6.cp1154-/usr/sbin/exim_dbmbuild    Broken    S.?......
exim,4.86,6.cp1154-/usr/sbin/exim_dumpdb    Broken    S.?......
exim,4.86,6.cp1154-/usr/sbin/exim_fixdb    Broken    S.?......
exim,4.86,6.cp1154-/usr/sbin/exim_lock    Broken    S.?......
exim,4.86,6.cp1154-/usr/sbin/exim_tidydb    Broken    S.?......
exim,4.86,6.cp1154-/usr/sbin/sendmail    Broken    S.?......
Is this normal? it says I can run

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

Should I go ahead with this?

I am using CloudLinux.
 

ramorse

Well-Known Member
Sep 6, 2003
256
5
168
cPanel Access Level
Root Administrator
Ditto. From all servers. Have never seen it before. Need to know if it's safe to run:
/usr/local/cpanel/scripts/check_cpanel_rpms --fix
 

darknite323

Registered
Feb 17, 2016
2
0
1
Australia
cPanel Access Level
Root Administrator
I'm getting the same messages from two of our cPanel servers. Message is exactly the same on both.
I won't bother reposing the entire list but it's exactly the same as whatForcerdj posted above, except that the MySQL version is MySQL55-server,5.5.48,1.cp1148

Possibly something missing in the latest cPanel update?
And can someone confirm that they've run the fix "check_cpanel_rpms --fix " successfully, last thing I want to do is break MySQL and Exim.
 
Feb 5, 2016
12
1
3
My Desk
cPanel Access Level
Root Administrator
Five of our servers have sent me these emails this morning "[check_cpanel_rpms] There are altered RPMs on ..."

Looks like this is a wider problem; what's going on and what should we be doing? After a quick search online I found someone that ran the suggested script and his database no longer worked, so I don't want to touch anything unless it's definitely safe. And I don't understand why this happened in the first place.
 

jplill

Registered
Feb 18, 2016
1
0
1
Cambridge, MA
cPanel Access Level
Website Owner
I received this notice from 2 of my servers. Ran the suggested command (check_cpanel_rpms --fix) on one and got a "command not found" error. I checked, the script is definitely in the directory where it should be. Am posting here to see if anyone can provide insight.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463

ladydi711

Well-Known Member
Sep 4, 2001
140
6
318
I also received the notice and would like to hear more from Cpanel on what has triggered. I have not yet run the /usr/local/cpanel/scripts/check_cpanel_rpms --fix command.

Thanks!
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
585
25
153
cPanel Access Level
Root Administrator
Hello,

Please see if you have PRELINKING enabled. Look in /etc/sysconfig/prelink and see if PRELINKING=yes is there. If so, change it to PRELINKING=no and run: /etc/cron.daily/prelink

Then remove the prelink rpm with: yum remove prelink

This is likely happening because of CVE-2015-7547
PRELINK! Changes the binary size, and the recent glibc update (to address the above CVE) will cause prelink to re-link pretty much everything on the system. We have not recommended using PRELINK in a very long time, and as of 54, it will no longer be allowed on new installs.

Once prelink is removed, you'll also want to restart dovecot with: /usr/local/cpanel/scripts/restartsrv_dovecot
Because this can cause dovecot authentication errors as well until you restart.
 
  • Like
Reactions: Dhaupin and Metro2

Mark Donne

Member
Nov 12, 2015
7
1
53
Fleet, Hants UK
cPanel Access Level
DataCenter Provider
Hi Peter

Thank you for the detailed answer, that certainly worked for us. I am curious about one of your comments though:

We have not recommended using PRELINK in a very long time
Where should we be seeing this kind of advice as it is obviously very useful! If people have been running a WHM server for a few years and letting the upgrade process run how do they find out about these little recommended tweaks to the base OS?

Thanks again
Mark Donne
 

cPanelPeter

Senior Technical Analyst
Staff member
Sep 23, 2013
585
25
153
cPanel Access Level
Root Administrator
Hello Mark,

Apologies if I was a little unclear. I can see how my response can be confusing. We didn't actually state anywhere that PRELINKING should be disabled but in our Installation Guide we do mention that we recommend a minimal install.

  • We recommend that you use the minimal installer, especially if you choose to install CentOS 7.
When using the minimal install, Prelink is automatically disabled (as is SELinux which we don't recommend either). Many users however do a full install and that does enable Prelinking (and SELinux). Remember, having Prelinking enabled doesn't actually prevent cPanel/WHM from running. However it also does not really help with speed either and as you've seen can cause issues when some RPM's are updated.

Let me know if something still isn't clear.
 
Feb 5, 2016
12
1
3
My Desk
cPanel Access Level
Root Administrator
So overnight five of our cPanel servers have sent emails of this nature:

The system detected problems with the following cPanel-provided files that the RPM controls:

RPM Status Additional Information
dovecot,2.2.21,1.cp1154-/usr/lib64/dovecot/libdovecot-login.so.0.0.0 Broken S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-login Broken S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/imap-urlauth-login Broken S.?......
dovecot,2.2.21,1.cp1154-/usr/libexec/dovecot/pop3-login Broken S.?......​

What's the score here, what's gone wrong?
 

bigbankclub

Registered
Dec 23, 2014
4
0
1
cPanel Access Level
Root Administrator
I receive these Altered RPMs Check type emails at random. I'm not making updates or changes to the server. yet these email arrive. I understand notifications are a normal practice when enabled; but what's the trigger?

Plus there a fix "/usr/local/cpanel/scripts/check_cpanel_rpms --fix"

I am guessing it's safe to run.

dovecot,2.2.21,1.cp1154-/usr/lib64/dovecot/libdovecot-login.so.0.0.0 Broken S.?......

Is in the email - any concern?
 

RobinF28

Active Member
Jun 27, 2015
42
8
58
Elgin, Scotland
cPanel Access Level
Root Administrator
Hi everyone,

I had the exact same issue & notifications, so I followed this advise, and ultimately removed Prelink.
Everything went according to plan (as above), and afterwards I checked with...

Code:
/scripts/check_cpanel_rpms --long-list
...and received a clean (empty) response, indicating that the issue was not now present.

All fixed, thank you cPanel.

- Robin.
 
  • Like
Reactions: Infopro

linux4me2

Well-Known Member
Aug 21, 2015
259
79
78
USA
cPanel Access Level
Root Administrator
Take a look at this entry in this thread. I think it will answer all your questions.

I have gotten the Altered RPMs email a couple of times, including this morning, and did have PRELINKING enabled. I followed cPanelPeter's instructions (after running /usr/local/cpanel/scripts/check_cpanel_rpms --fix) and they went without a hitch.