[Urgent] There are altered Packages on server.example.com
Hi,
I received this email now:
The system detected problems with the following cPanel-provided files that the Packaging System controls:
cpanel-clamav,0.104.4.2,4.cp108~el7-/usr/local/cpanel/whostmgr/addonfeatures/clamavconnector
If you did not make these changes intentionally, execute the following command as the root user to correct them:
/usr/local/cpanel/scripts/check_cpanel_pkgs --fix
Too in top of the forum appear this warning: https://support.cpanel.net/hc/en-us/articles/32731714006551-Update-to-latest-cPanel-110-126-or-128-versions-removes-addonfeatures-directory
Which solution we should apply?:
1- Execute email's command?: /usr/local/cpanel/scripts/check_cpanel_pkgs --fix
2- Execute forum's command?: /scripts/autorepair fix_addon_features
3- Wait until updates? (if we wait, the bug can broke the server?).
Thank you very much.
-
Additionally information:
I checked my servers and have the missed directory mentioned in your article (/usr/local/cpanel/whostmgr/addonfeatures) created at: 14-Jun-2025 00:17:50
Into this directory I have jetbackup, softaculous, imunify360 and other software directories.
Thank you again.
0 -
Run the first command which should sort this out.
Andrew N. - cPanel Plesk VMWare Certified Professional
Do you need immediate assistance? 20 minutes response time!* Open a ticket
EmergencySupport - Professional Server Management and One-time Services1 -
Hi friends,
Any news?.
WHM/cPanel updated automatically to version: 11.110.0.68
However I don't received any email with information; normally after each update you receive an email.
I'm not sure if I should run any of the commands mentioned above.
Thanks for your help!
0 -
We noticed that the executable file from clamav was gone from /usr/local/cpanel/whostmgr/addonfeatures
This was logged on our end at Sunday, June 15, 2025 at 2:17:47 AM UTC.
this was fixed after running /usr/local/cpanel/scripts/check_cpanel_pkgs --fix
This can be validated in terminal with ls /usr/local/cpanel/whostmgr/addonfeatures
clamavconnector shows white text
and after running /usr/local/cpanel/scripts/check_cpanel_pkgs --fix
clamavconnector text color is green indicating executable status.We did not notice any effects on our end the cpanel plugin before running the fix the addon was still showing up as accesible.
We also do not have any indication of service interuption with regards to JB5, Imunify AV / 360 before executing the fix. All schedules have been executed at June 15, 2025 4:01 AM UTC without errors which is after the clamav error was logged.
In short impact seems to be limited to ClamAV it is unclear if this is directly related to the missing addonfeatures director. Running both fixes after each other seems to have no adverse effect on services we are monitoring the situation on our own network.
Disclaimer this is not a official answer.1 -
MindServer - you would only need to run those commands if you aren't seeing the plugins working inside cPanel.
0 -
Thank you very much, everyone.
I ran some tests and the plugins like JetBackup, Imunify360, etc. are working correctly. I haven't found any errors in WHM or the users' cPanel accounts.
My issue is, one day after receiving this message:
Altered Packages found.
The system detected problems with the following cPanel-provided files that the Packaging System controls:
cpanel-clamav,0.104.4.2,4.cp108~el7-/usr/local/cpanel/whostmgr/addonfeatures/clamavconnector
If you did not make these changes intentionally, execute the following command as the root user to correct them:
/usr/local/cpanel/scripts/check_cpanel_pkgs --fixWHM/cPanel updated automatically to version 11.110.0.68
I stopped receiving the daily automatic update checks / notification emails like previous years:
Your system’s cPanel & WHM version (11.110.0.65)
Is it normal that version 11.110.0.68 no longer sends daily update check emails?.
Thank you again.
0 -
<redacted due to misinformation>
0 -
Hi!,
-I checked "/var/log/exim_mainlog" and didn't find any logs about this email. The last related log says "Altered Packages found." and it was before the 11.110.0.68 update.
-In WHM/cPanel -> Mail Queue Manager, there are no pending emails.
-In "Home » Server Configuration » Configure cPanel Cron Jobs » Command: upcp", it's configured to run at 0:15h. Could it be that this cron job isn't working correctly? Should I press the "Save" button to regenerate it?.
We don't know if the server is executing updates but failing to send email notifications, or if it’s not updating at all.
Note: CloudLinux runs its updates correctly and sends email notifications.
Thank you again.
0 -
Would you happen to have an example of the subject line of one of the previous emails so I can look into this? I'm only seeing update failure notification options when I check the WHM >> Contact Manager page.
1 -
I believe that you are notified only if the update fails.
I remember getting those notifications earlier, but that was years ago.1 -
I'm also not seeing any recent notifications from my personal machine about successful updates.
1 -
Yes, the previous subject where everything worked fine is:
Daily update check - Version 11.110.0.62:
[server.domain.com] cPanel & WHM version (11.110.0.62) will reach End of Life
Daily update check - Version 11.110.0.65:
[server.domain.com] cPanel & WHM version (11.110.0.65) will reach End of Life
The subject related to the recent "error package" is:
[server.domain.com] Altered Packages found.
Note: remember to replace "server.domain.com" with WHM/cPanel URL, don't remove: [ ]
Thank you very much!
0 -
The subject line of the email is "Daily update check - version ####" correct?
0 -
cPRex Nop, sorry the confusion.
The subjects is the text that you see between code tags:
[server.domain.com] cPanel & WHM version (11.110.0.62) will reach End of Life
[server.domain.com] cPanel & WHM version (11.110.0.65) will reach End of Life
[server.domain.com] Altered Packages found.
Note: remember to replace "server.domain.com" with WHM/cPanel URL, don't remove: [ ]
0 -
Those don't look like update notifications to me, but and EOL notification that is separate from the update system.
0 -
However I always received this notification every day at WHM/cPanel update hour.
You don't receive daily email update notification?.
0 -
The last time we received server update notifications pertaining to successful WHM, cPanel updates, was more than 5 years ago and ended with version 82
The contact manager notification tab in WHM has no alert type anymore for successful update notifications. These are the update-centered types you do have regarding updates. Under WHM → Contact Manager → Notifications
cPanel Update Failures
Exim Update Failures
System Update Failures
Update Blocker - Service Deprecation Notice
Update Failure Due to Immutable Files
Update Failures
Update Version Blocker
EOL notifications are listed there under
cPanel & WHM End of Life Notice
For notification templates, you can view the associated page at
https://docs.cpanel.net/whm/server-contacts/contact-manager/
The EOL messages are delivered through normal update procedure. So event driven.
However, I do notice that your last provided version message said 11.110.0.65 while the last 110 version as to date is 11.110.0.68, and I see a logged case from 6 days ago under CPANEL-47741 that specifically mentions that there have been issues with the cpupdate.conf that should trigger the daily run. It seems your infrastructure might have temporary suffered from it.
Which could explain the reason why you had not received the notification itself as of late. I would check the workaround mentioned in the article below and see if that also restores the EOL notification being send.
https://support.cpanel.net/hc/en-us/articles/32743643910039-cPanel-LTS-110-0-67-Unavailable0 -
ITHKBO I will check this and write you soon, thank you very much friend.
0 -
Hi friends, cPRex
Again we received this email in 2 servers:
[check_cpanel_pkgs] There are altered Packages on server.domain.com
The system detected problems with the following cPanel-provided files that the Packaging System controls:
cpanel-clamav,0.104.4.2,4.cp108~el7-/usr/local/cpanel/whostmgr/addonfeatures/clamavconnector Broken missing
If you did not make these changes intentionally, execute the following command as the root user to correct them:
/usr/local/cpanel/scripts/check_cpanel_pkgs --fixDo you recommend me execute this command?: /usr/local/cpanel/scripts/check_cpanel_pkgs --fix
It's safe?, we never got this problem in years.
Thank you very much.
0 -
It is absolutely safe to run the command it is designed to repair any cPanel, WHM packages and it will not touch any configuration files unless something was already lost.
However if you already ran the command previously on the same addonfeatures notification and the issue stays the same then I would recommend creating a ticket.We ran the command and the notification did not come back for the same version.
For more information regarding the command:
https://docs.cpanel.net/knowledge-base/rpm-versions/the-check_cpanel_pkgs-script/0 -
Thank you very much friend ITHKBO,
I executed the command in first server and returned this:
[2025-06-23 12:40:31 +0200] Problems were detected with cPanel-provided files which are controlled by packages.
[2025-06-23 12:40:31 +0200] If you did not make these changes intentionally, you can correct them by running:
[2025-06-23 12:40:31 +0200]
[2025-06-23 12:40:31 +0200] > /usr/local/cpanel/scripts/check_cpanel_pkgs --fix
[2025-06-23 12:40:31 +0200]
[2025-06-23 12:40:31 +0200] The following files were found to be altered from their original package form:
[2025-06-23 12:40:31 +0200] cpanel-clamav,0.104.4.2,4.cp108~el7
[2025-06-23 12:40:31 +0200]
[2025-06-23 12:40:31 +0200] Removing 1 broken rpms: cpanel-clamav-0.104.4.2-4.cp108~el7.x86_64
[2025-06-23 12:40:31 +0200] Maximum sync children set to 16 based on 57105M available memory.
[2025-06-23 12:40:31 +0200] Downloading http://httpupdate.cpanel.net/RPM/11.108/centos/7/x86_64/sha512
[2025-06-23 12:40:32 +0200] Successfully verified signature for cpanel (key types: release).
[2025-06-23 12:40:32 +0200] Downloading http://httpupdate.cpanel.net/RPM/11.108/centos/7/x86_64/cpanel-clamav-0.104.4.2-4.cp108~el7.x86_64.rpm
[2025-06-23 12:40:33 +0200] Disabling service monitoring.
[2025-06-23 12:40:33 +0200] Hooks system enabled.
[2025-06-23 12:40:33 +0200] Checking for and running RPM::Versions 'pre' hooks for any Packages about to be installed
[2025-06-23 12:40:33 +0200] All required 'pre' hooks have been run
[2025-06-23 12:40:33 +0200] No packages need to be uninstalled
[2025-06-23 12:40:33 +0200] Installing new rpms: cpanel-clamav-0.104.4.2-4.cp108~el7.x86_64.rpm
[2025-06-23 12:40:33 +0200] Preparing packages...
[2025-06-23 12:40:34 +0200] Locking password for user clamav.
[2025-06-23 12:40:34 +0200] passwd: Success
[2025-06-23 12:40:34 +0200] cpanel-clamav-0.104.4.2-4.cp108~el7.x86_64
[2025-06-23 12:40:34 +0200] warning: /usr/local/cpanel/3rdparty/etc/cpclamav.conf saved as /usr/local/cpanel/3rdparty/etc/cpclamav.conf.rpmorig
[2025-06-23 12:40:35 +0200] runPost_install
[2025-06-23 12:40:35 +0200] runPost_all
[2025-06-23 12:40:35 +0200] clamavconnector registered
[2025-06-23 12:40:35 +0200] ClamAV update process started at Mon Jun 23 12:40:35 2025
[2025-06-23 12:40:35 +0200] WARNING: Your ClamAV installation is OUTDATED!
[2025-06-23 12:40:35 +0200] WARNING: Local version: 0.104.4 Recommended version: 1.0.9
[2025-06-23 12:40:35 +0200] DON'T PANIC! Read https://docs.clamav.net/manual/Installing.html
[2025-06-23 12:40:35 +0200] daily database available for update (local version: 27677, remote version: 27678)
[2025-06-23 12:40:36 +0200] Testing database: '/usr/local/cpanel/3rdparty/share/clamav/tmp.c299c8bf45/clamav-e30987f90878a295eae1f7467bd69777.tmp-daily.cld' ...
[2025-06-23 12:40:41 +0200] Database test passed.
[2025-06-23 12:40:41 +0200] daily.cld updated (version: 27678, sigs: 2075789, f-level: 90, builder: raynman)
[2025-06-23 12:40:41 +0200] main.cld database is up-to-date (version: 62, sigs: 6647427, f-level: 90, builder: sigmgr)
[2025-06-23 12:40:41 +0200] bytecode.cld database is up-to-date (version: 336, sigs: 83, f-level: 90, builder: nrandolp)
[2025-06-23 12:40:41 +0200] Adding clamd to chkservd
[2025-06-23 12:40:43 +0200] Configuration file passes test! New configuration file was installed.
[2025-06-23 12:40:43 +0200]
[2025-06-23 12:40:43 +0200]
[2025-06-23 12:40:43 +0200]
[2025-06-23 12:40:43 +0200] /etc/exim.pl.local installed!
[2025-06-23 12:40:43 +0200] Refreshing SMTP Mail protection.
[2025-06-23 12:40:43 +0200] SMTP Mail protection has been disabled. All users may make outbound smtp connections.
[2025-06-23 12:40:44 +0200] scripts/restartsrv_clamd
[2025-06-23 12:40:57 +0200] Hooks system enabled.
[2025-06-23 12:40:57 +0200] Checking for and running RPM::Versions 'post' hooks for any Packages about to be installed
[2025-06-23 12:40:57 +0200] All required 'post' hooks have been run
[2025-06-23 12:40:57 +0200] Restoring service monitoring.I think this is a normal result, can you confirm it for me please?.
Regarding this line: SMTP Mail protection has been disabled. All users may make outbound SMTP connections.
Do you recommend enabling this tool: WHM/cPanel → Security Center → SMTP Restrictions?
Will it block clients’ SMTP connections from external email clients like Gmail, Thunderbird, Outlook, etc.?
We've been using Imunify360 and CSF for several years and works fine for block unauthorized SMTP connections.
Thank you again!
0 -
Seems ok; however, this restores packages; it will not update them to later versions, hence its warning for outdated version in the log. So you want to update it after fixing the package *if* your WHM version allows for the new version. But apart from that, nothing out of the ordinary. You can always do a test run with something like a EICAR file just make sure that Imunify360 does not handle it before ClamAV.
As for the SMTP protection, or as it's called SMTP restrictions in the security center, if you have a ConfigServer firewall, it must be set to off. If not, it is up to your discretion. CSF handles additional configuration with SMTP_BlockIf you have CSF, you verify this information by running Check Server Security with Run Again and Display All Checks; it should list the reason why you should not use SMTP restrictions.
0 -
Thank you very much!.
But I think in daily updates WHM/cPanel will upgrade all packages, correct?.
Have a nice day!
0 -
Yes, the nightly update should check all packages on the machine.
0 -
Yes, if the Clam AV for your WHM version has an update for 110 that is. For 110 that should be cpanel-clamav-0.104.4.2-4, the higher version of Clam AV is for the more recent WHM. And I do not believe that it is possible to manually update it either without problems. So as long as you use 110, consider it a notification, not an error. cPRex can correct me on this if I am wrong.
Basing this information on the 110 changelog:
https://docs.cpanel.net/changelogs/110-change-log/0 -
Thank you very much for all.
Have a nice day!
0
Please sign in to leave a comment.
Comments
26 comments