There are altered RPMs

BlueSteam · Aug 21, 2021

Hi All,

I just got this email this morning.

[check_cpanel_rpms] There are altered RPMs on “#######”.

The system detected problems with the following cPanel-provided files that the RPM controls:

RPM Status Additional Information
cpanel-clamav-virusdefs,0.101.5,5.cp1198-/usr/local/cpanel/3rdparty/share/clamav/.first-install/bytecode.cld.xz Broken .....UG..
cpanel-clamav-virusdefs,0.101.5,5.cp1198-/usr/local/cpanel/3rdparty/share/clamav/.first-install/daily.cld.xz Broken .....UG..
cpanel-clamav-virusdefs,0.101.5,5.cp1198-/usr/local/cpanel/3rdparty/share/clamav/.first-install/main.cld.xz Broken .....UG..

If you did not make these changes intentionally, execute the following command as the root user to correct them:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

This notice is the result of a request from “rpmcheck”.
The system generated this notice on Saturday, August 21, 2021 at 12:14:31 AM UTC.
“Altered RPMs Check” notifications are currently configured to have an importance of “High”. You can change the importance or disable this type of notification in WHM’s Contact Manager at: https://########/scripts2/editcontact?event=Check::CpanelRPMs
Do not reply to this automated message.

Right off the bat, I assume nothing is untoward about this because these are just the virus definitions being updated by cPanel or ClamAV's auto-updater?

If this is the case then why the warning? Is it something I should worry about? Should I still run the following command like it advises me to??

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

waiting eagerly

mtindor · Aug 21, 2021

I got this notice on my Almalinux 8 cPanel box this morning. May be specific to AlmaLinux / CentOS 8 / RHEL 8

mtindor · Aug 21, 2021

I did as it said and ran:

/usr/local/cpanel/scripts/check_cpanel_rpms --fix

Seems to have "fixed" it.

[2021-08-21 07:27:14 -0400] The following files were found to be altered from their original RPM:
[2021-08-21 07:27:14 -0400] cpanel-clamav-virusdefs,0.101.5,5.cp1198
[2021-08-21 07:27:14 -0400]
[2021-08-21 07:27:14 -0400] Removing 1 broken rpms: cpanel-clamav-virusdefs-0.101.5-5.cp1198.x86_64
[2021-08-21 07:27:14 -0400] Maximum sync children set to 16 based on 24469M available memory.
[2021-08-21 07:27:14 -0400] Downloading http://httpupdate.cpanel.net/RPM/11.98/centos/8/x86_64/sha512
[2021-08-21 07:27:15 -0400] Successfully verified signature for cpanel (key types: release).
[2021-08-21 07:27:15 -0400] Downloading http://httpupdate.cpanel.net/RPM/11...-clamav-virusdefs-0.101.5-5.cp1198.x86_64.rpm
[2021-08-21 07:27:44 -0400] Disabling service monitoring.
[2021-08-21 07:27:44 -0400] Hooks system enabled.
[2021-08-21 07:27:44 -0400] Checking for and running RPM::Versions 'pre' hooks for any Packages about to be installed
[2021-08-21 07:27:44 -0400] All required 'pre' hooks have been run
[2021-08-21 07:27:44 -0400] No packages need to be uninstalled
[2021-08-21 07:27:44 -0400] Installing new rpms: cpanel-clamav-virusdefs-0.101.5-5.cp1198.x86_64.rpm
[2021-08-21 07:27:44 -0400] Verifying packages...
[2021-08-21 07:27:45 -0400] Preparing packages...
[2021-08-21 07:27:45 -0400] cpanel-clamav-virusdefs-0.101.5-5.cp1198.x86_64
[2021-08-21 07:27:47 -0400] Hooks system enabled.
[2021-08-21 07:27:47 -0400] Checking for and running RPM::Versions 'post' hooks for any Packages about to be installed
[2021-08-21 07:27:47 -0400] All required 'post' hooks have been run
[2021-08-21 07:27:47 -0400] Restoring service monitoring.

BlueSteam · Aug 21, 2021

I'm also running Alma

What I am concerned about by doing this is that it might overwrite the latest virus definitions by putting back the old ones.

Anyone who is a cPanel guru able to confirm this?

BlueSteam · Aug 22, 2021

@mtindor I got this notice again today. Did you get it as well after running the command yesterday? I didn't run it yesterday so I'm wondering if your choice to run it has fixed the problem for good.

mtindor · Aug 22, 2021

BlueSteam said:
@mtindor I got this notice again today. Did you get it as well after running the command yesterday? I didn't run it yesterday so I'm wondering if your choice to run it has fixed the problem for good.

Mine is working fine. No more warnings. I ran the command yesterday like I said I did and moved on. It's just clamav defs.

Mike

BlueSteam · Aug 22, 2021

yh you say it's fine and it's just the clamav defs but by running the command, doesn't it REVERT the definitions?

surely we want the LATEST definitions??

cPRex · Aug 23, 2021

@mtindor - from the output provided in this thread, it seems to be downloading the same version that the RPM check complained about.

@BlueSteam - It would not perform a downgrade with any yum or rpmcheck commands unless it was specifically told to do so.

BlueSteam · Aug 23, 2021

So then I assume it is safe to run the commands advised in the alert notification?

I think the better question then is why has it changed at all? hmm...

cPRex · Aug 23, 2021

It's just a standard warning that gets sent out - we see a change, we send the notification, and we leave it up to the admin to decide if it's an issue. In this case, it's just normal updates happening. You can find more details on this here:

Symptoms You may receive emails stating "There are altered RPMs". Description This email is sent if a file is found to be different from what is provided by an RPM package. Workaround Ty...

support.cpanel.net

mtindor · Aug 23, 2021

cPRex said:
@mtindor - from the output provided in this thread, it seems to be downloading the same version that the RPM check complained about.

@BlueSteam - It would not perform a downgrade with any yum or rpmcheck commands unless it was specifically told to do so.

I'm not the one questioning it, Rex.

cPRex · Aug 23, 2021

Tight, I just wanted to tag you both so you saw it.

BlueSteam · Aug 23, 2021

cPRex said:
It's just a standard warning that gets sent out - we see a change, we send the notification, and we leave it up to the admin to decide if it's an issue. In this case, it's just normal updates happening. You can find more details on this here:

There are altered RPMs

Symptoms You may receive emails stating "There are altered RPMs". Description This email is sent if a file is found to be different from what is provided by an RPM package. Workaround Ty...

support.cpanel.net

Thank you very much

Thread starter	Similar threads	Forum	Replies	Date
S	Altered Packages found.	Server Management	1	Apr 29, 2023
M	Altered Packages found	Server Management	10	Feb 18, 2023
G	check_cpanel_pkgs, altered packages	Server Management	1	Nov 14, 2021
E	Altered RPMs found	Server Management	1	Oct 10, 2021
T	E Sysup: Needed system RPMs were not installed: xz, yum-utils	Server Management	6	Nov 22, 2015

Search

Search

There are altered RPMs - cpanel-clamav-virusdefs

BlueSteam

Well-Known Member

mtindor

Well-Known Member

mtindor

Well-Known Member

BlueSteam

Well-Known Member

BlueSteam

Well-Known Member

mtindor

Well-Known Member

BlueSteam

Well-Known Member

cPRex

Jurassic Moderator

BlueSteam

Well-Known Member

cPRex

Jurassic Moderator