Processes using deleted files.


Virtualmin updated my CentOS 7 to 7.1 several days ago (163 packages). Since this has happened RKHunter is emailing me the following warnings.

---------------------- Start Rootkit Hunter Scan ----------------------
Warning: The following processes are using deleted files:
Process: /usr/libexec/mysqld PID: 1179 File: /var/tmp/ibPApPHR
Process: /usr/sbin/anacron PID: 8039 File: /tmp/filelydHfA
Process: /usr/bin/bash PID: 8435 File: /tmp/filelydHfA
Process: /usr/bin/gawk PID: 8581 File: /tmp/filelydHfA

----------------------- End Rootkit Hunter Scan -----------------------

Before I start searching through the Centos forums for answers I just wanted to check that this is not related to Virtualmin.

Many thanks,



You may want to try restarting MySQL… I’m curious if restarting it resolves the issues you’re seeing.


Thanks for the quick response Eric.

I did reboot after all the updates and my own MyBB forum website, using MYSQLi, is working without problem. I optimised the database tables yesterday.

I stopped MYSQL (In Webmin) as you advised and it did stop but produced the following error

“MySQL is not running on your system - database list could not be retrieved.”

I restarted MYSQL successfully and checked my forum and the php scripts are accessing the database ok.

I ran a manual RKHunter scan and checked the log to find this warning.

Info: Starting test name ‘deleted_files’

[15:31:27] Checking running processes for deleted files [ Warning ]

[15:31:27] Warning: The following processes are using deleted files:

[15:31:27] Process: /usr/libexec/mysqld PID: 14486 File: /var/tmp/ibf8V2OF"




Well, I suspect what you’re seeing is safe to ignore… however, if you’d like to dig into that a big more, I poked around a bit and found some examples of other people who saw that issue with rkhunter and MySQL:

Hi Eric,

Thanks for the links. Much appreciated. I received my daily scan report from RKHunter this morning with warnings as per before. It also stated to chmod /var/tmp to 1777 (it was 755). Strange as I had not changed this file. I have changed it back.

A month ago I was unable to create a symbolic link from /var/tmp to /tmp which is mounted with restrictions. After a lot of searching and reading I found out Centos 7 uses /var/tmp differently to CentOS 6 in that it creates is own mini-processes there and I was unable to take a backup, clear /var/tmp and create the link. It still said files were still in use.

Do you think this may be related?