Rootkit warning message - a question

January 5, 2014 2.1k views
paul.alford51
By:
paul.alford51
Hi, Should I be worried about this message from rkhunter? Warning: The following processes are using deleted files: Process: /usr/sbin/mysqld PID: 723 File: /tmp/ibbHqlhP Process: /usr/bin/python2.7 PID: 8085 File: /usr/bin/python2.7 Many thanks in advance.
Log In to Comment
2 Answers
kamaln7 MOD January 5, 2014 
Process: /usr/sbin/mysqld PID: 723 File: /tmp/ibbHqlhP

That's fine, MySQL writes temporary tables to /tmp. 
Process: /usr/bin/python2.7 PID: 8085 File: /usr/bin/python2.7

It seems like the python2.7 executable was replaced—have you upgraded python recently?
Reply
paul.alford51 January 5, 2014
Hi Kamil,

No, This is a pretty fresh droplet. Only added mod-security and denyhosts, then rkhunter and clamav (but clam was installed after the rootkit scan).
Reply
Have another answer? Share your knowledge.