Question

lfd Suspicious process running under user nobody for do-agent

Hi!

I have a VPS with CentOS 7 and CWP installed on it. CWP has the CSF firewall and the lfd send me email alerts a lot during a day because of the do-agent. I don’t want to disable do-agent because it is for monitoring. I don’t want to disabel the email alerts as well. Is there any way to stop lfd alerting me because of the do-agent?

The alert is: Suspicious process running under user nobody

Time: Tue Apr 9 18:03:23 2019 +0200 PID: 3528 (Parent PID:3528) Account: nobody Uptime: 18128 seconds

Executable:

/opt/digitalocean/bin/do-agent

Command Line (often faked in exploits):

/opt/digitalocean/bin/do-agent -log_syslog

Network connections by the process (if any):

tcp: 207.154.193.90:36840 -> 151.101.1.7:443

Files open by the process (if any):

/dev/null anon_inode:[eventpoll] /run/digitalocean-agent/tufLocalStore

Memory maps by the process (if any):

00400000-006b1000 r-xp 00000000 fd:01 150995010 /opt/digitalocean/bin/do-agent 006b1000-008b4000 r–p 002b1000 fd:01 150995010 /opt/digitalocean/bin/do-agent 008b4000-008e5000 rw-p 004b4000 fd:01 150995010 /opt/digitalocean/bin/do-agent 008e5000-00908000 rw-p 00000000 00:00 0 01a81000-01aa2000 rw-p 00000000 00:00 0 [heap] c000000000-c000002000 rw-p 00000000 00:00 0 c41ffd0000-c420000000 rw-p 00000000 00:00 0 c420000000-c420500000 rw-p 00000000 00:00 0 c420500000-c420600000 rw-p 00000000 00:00 0 7f2fa8000000-7f2fa8021000 rw-p 00000000 00:00 0 7f2fa8021000-7f2fac000000 —p 00000000 00:00 0 7f2faf7ff000-7f2faf800000 —p 00000000 00:00 0 7f2faf800000-7f2fb0000000 rw-p 00000000 00:00 0 7f2fb0000000-7f2fb0021000 rw-p 00000000 00:00 0 7f2fb0021000-7f2fb4000000 —p 00000000 00:00 0 7f2fb423f000-7f2fb4240000 —p 00000000 00:00 0 7f2fb4240000-7f2fb4ba0000 rw-p 00000000 00:00 0 7f2fb4ba0000-7f2fb4ba1000 —p 00000000 00:00 0 7f2fb4ba1000-7f2fb53a1000 rw-p 00000000 00:00 0 7f2fb53a1000-7f2fb53a2000 —p 00000000 00:00 0 7f2fb53a2000-7f2fb5ba2000 rw-p 00000000 00:00 0 7f2fb5ba2000-7f2fb5ba3000 —p 00000000 00:00 0 7f2fb5ba3000-7f2fb63a3000 rw-p 00000000 00:00 0 7f2fb63a3000-7f2fb6565000 r-xp 00000000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb6565000-7f2fb6765000 —p 001c2000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb6765000-7f2fb6769000 r–p 001c2000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb6769000-7f2fb676b000 rw-p 001c6000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb676b000-7f2fb6770000 rw-p 00000000 00:00 0 7f2fb6770000-7f2fb6787000 r-xp 00000000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6787000-7f2fb6986000 —p 00017000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6986000-7f2fb6987000 r–p 00016000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6987000-7f2fb6988000 rw-p 00017000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6988000-7f2fb698c000 rw-p 00000000 00:00 0 7f2fb698c000-7f2fb69ae000 r-xp 00000000 fd:01 88217 /usr/lib64/ld-2.17.so 7f2fb6a8e000-7f2fb6a9e000 r–s 00000000 00:14 29184 /run/digitalocean-agent/tufLocalStore 7f2fb6a9e000-7f2fb6ba1000 rw-p 00000000 00:00 0 7f2fb6bac000-7f2fb6bad000 rw-p 00000000 00:00 0 7f2fb6bad000-7f2fb6bae000 r–p 00021000 fd:01 88217 /usr/lib64/ld-2.17.so 7f2fb6bae000-7f2fb6baf000 rw-p 00022000 fd:01 88217 /usr/lib64/ld-2.17.so 7f2fb6baf000-7f2fb6bb0000 rw-p 00000000 00:00 0 7ffdc3bff000-7ffdc3c20000 rw-p 00000000 00:00 0 [stack] 7ffdc3df2000-7ffdc3df4000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Subscribe
Share

Submit an answer
You can type!ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Yes, that’s right. I found the solution here: http://wiki.centos-webpanel.com/csflfd-firewall-configuration

  1. Login with SSH
  2. Edit the file /etc/csf/csf.pignore (e.g. sudo nano /etc/csf/csf.pignore)
  3. At the bottom add this line: exe:/opt/digitalocean/bin/do-agent
  4. Restart CSF firewall

That’s it!

I’m also getting this report with the same setup as you. I assume we need to put an exception somewhere since it seems like a legit digitalocean process, maybe in the CSF somewhere?