Processes using deleted files.

Philip_B · April 8, 2015, 1:08pm

Hi,

Virtualmin updated my CentOS 7 to 7.1 several days ago (163 packages). Since this has happened RKHunter is emailing me the following warnings.

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The following processes are using deleted files:
Process: /usr/libexec/mysqld PID: 1179 File: /var/tmp/ibPApPHR
Process: /usr/sbin/anacron PID: 8039 File: /tmp/filelydHfA
Process: /usr/bin/bash PID: 8435 File: /tmp/filelydHfA
Process: /usr/bin/gawk PID: 8581 File: /tmp/filelydHfA

----------------------- End Rootkit Hunter Scan -----------------------

Before I start searching through the Centos forums for answers I just wanted to check that this is not related to Virtualmin.

Many thanks,

Philip

Eric · April 8, 2015, 2:01pm

Howdy,

You may want to try restarting MySQL… I’m curious if restarting it resolves the issues you’re seeing.

-Eric

Philip_B · April 8, 2015, 2:48pm

Thanks for the quick response Eric.

I did reboot after all the updates and my own MyBB forum website, using MYSQLi, is working without problem. I optimised the database tables yesterday.

I stopped MYSQL (In Webmin) as you advised and it did stop but produced the following error

“MySQL is not running on your system - database list could not be retrieved.”

I restarted MYSQL successfully and checked my forum and the php scripts are accessing the database ok.

I ran a manual RKHunter scan and checked the log to find this warning.

Info: Starting test name ‘deleted_files’

[15:31:27] Checking running processes for deleted files [ Warning ]

[15:31:27] Warning: The following processes are using deleted files:

[15:31:27] Process: /usr/libexec/mysqld PID: 14486 File: /var/tmp/ibf8V2OF"

Regards,

Philip

Eric · April 8, 2015, 3:08pm

Howdy,

Well, I suspect what you’re seeing is safe to ignore… however, if you’d like to dig into that a big more, I poked around a bit and found some examples of other people who saw that issue with rkhunter and MySQL:

http://serverfault.com/questions/590944/rkhunter-reported-processes-that-are-using-deleted-files-or-are-listening-on-the

http://sourceforge.net/p/rkhunter/mailman/rkhunter-users/thread/9f7c2a80908180008q8272bdxe929ac3d4648cb07@mail.gmail.com/

Philip_B · April 9, 2015, 10:28am

Hi Eric,

Thanks for the links. Much appreciated. I received my daily scan report from RKHunter this morning with warnings as per before. It also stated to chmod /var/tmp to 1777 (it was 755). Strange as I had not changed this file. I have changed it back.

A month ago I was unable to create a symbolic link from /var/tmp to /tmp which is mounted with restrictions. After a lot of searching and reading I found out Centos 7 uses /var/tmp differently to CentOS 6 in that it creates is own mini-processes there and I was unable to take a backup, clear /var/tmp and create the link. It still said files were still in use.

Do you think this may be related?

Philip