lfd Suspicious process running under user nobody for do-agent


I have a VPS with CentOS 7 and CWP installed on it. CWP has the CSF firewall and the lfd send me email alerts a lot during a day because of the do-agent. I don’t want to disable do-agent because it is for monitoring. I don’t want to disabel the email alerts as well. Is there any way to stop lfd alerting me because of the do-agent?

The alert is: Suspicious process running under user nobody

Time: Tue Apr 9 18:03:23 2019 +0200 PID: 3528 (Parent PID:3528) Account: nobody Uptime: 18128 seconds



Command Line (often faked in exploits):

/opt/digitalocean/bin/do-agent -log_syslog

Network connections by the process (if any):

tcp: ->

Files open by the process (if any):

/dev/null anon_inode:[eventpoll] /run/digitalocean-agent/tufLocalStore

Memory maps by the process (if any):

00400000-006b1000 r-xp 00000000 fd:01 150995010 /opt/digitalocean/bin/do-agent 006b1000-008b4000 r–p 002b1000 fd:01 150995010 /opt/digitalocean/bin/do-agent 008b4000-008e5000 rw-p 004b4000 fd:01 150995010 /opt/digitalocean/bin/do-agent 008e5000-00908000 rw-p 00000000 00:00 0 01a81000-01aa2000 rw-p 00000000 00:00 0 [heap] c000000000-c000002000 rw-p 00000000 00:00 0 c41ffd0000-c420000000 rw-p 00000000 00:00 0 c420000000-c420500000 rw-p 00000000 00:00 0 c420500000-c420600000 rw-p 00000000 00:00 0 7f2fa8000000-7f2fa8021000 rw-p 00000000 00:00 0 7f2fa8021000-7f2fac000000 —p 00000000 00:00 0 7f2faf7ff000-7f2faf800000 —p 00000000 00:00 0 7f2faf800000-7f2fb0000000 rw-p 00000000 00:00 0 7f2fb0000000-7f2fb0021000 rw-p 00000000 00:00 0 7f2fb0021000-7f2fb4000000 —p 00000000 00:00 0 7f2fb423f000-7f2fb4240000 —p 00000000 00:00 0 7f2fb4240000-7f2fb4ba0000 rw-p 00000000 00:00 0 7f2fb4ba0000-7f2fb4ba1000 —p 00000000 00:00 0 7f2fb4ba1000-7f2fb53a1000 rw-p 00000000 00:00 0 7f2fb53a1000-7f2fb53a2000 —p 00000000 00:00 0 7f2fb53a2000-7f2fb5ba2000 rw-p 00000000 00:00 0 7f2fb5ba2000-7f2fb5ba3000 —p 00000000 00:00 0 7f2fb5ba3000-7f2fb63a3000 rw-p 00000000 00:00 0 7f2fb63a3000-7f2fb6565000 r-xp 00000000 fd:01 88224 /usr/lib64/ 7f2fb6565000-7f2fb6765000 —p 001c2000 fd:01 88224 /usr/lib64/ 7f2fb6765000-7f2fb6769000 r–p 001c2000 fd:01 88224 /usr/lib64/ 7f2fb6769000-7f2fb676b000 rw-p 001c6000 fd:01 88224 /usr/lib64/ 7f2fb676b000-7f2fb6770000 rw-p 00000000 00:00 0 7f2fb6770000-7f2fb6787000 r-xp 00000000 fd:01 88232 /usr/lib64/ 7f2fb6787000-7f2fb6986000 —p 00017000 fd:01 88232 /usr/lib64/ 7f2fb6986000-7f2fb6987000 r–p 00016000 fd:01 88232 /usr/lib64/ 7f2fb6987000-7f2fb6988000 rw-p 00017000 fd:01 88232 /usr/lib64/ 7f2fb6988000-7f2fb698c000 rw-p 00000000 00:00 0 7f2fb698c000-7f2fb69ae000 r-xp 00000000 fd:01 88217 /usr/lib64/ 7f2fb6a8e000-7f2fb6a9e000 r–s 00000000 00:14 29184 /run/digitalocean-agent/tufLocalStore 7f2fb6a9e000-7f2fb6ba1000 rw-p 00000000 00:00 0 7f2fb6bac000-7f2fb6bad000 rw-p 00000000 00:00 0 7f2fb6bad000-7f2fb6bae000 r–p 00021000 fd:01 88217 /usr/lib64/ 7f2fb6bae000-7f2fb6baf000 rw-p 00022000 fd:01 88217 /usr/lib64/ 7f2fb6baf000-7f2fb6bb0000 rw-p 00000000 00:00 0 7ffdc3bff000-7ffdc3c20000 rw-p 00000000 00:00 0 [stack] 7ffdc3df2000-7ffdc3df4000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Accepted Answer

Yes, that’s right. I found the solution here:

  1. Login with SSH
  2. Edit the file /etc/csf/csf.pignore (e.g. sudo nano /etc/csf/csf.pignore)
  3. At the bottom add this line: exe:/opt/digitalocean/bin/do-agent
  4. Restart CSF firewall

That’s it!

I’m also getting this report with the same setup as you. I assume we need to put an exception somewhere since it seems like a legit digitalocean process, maybe in the CSF somewhere?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel