lfd Suspicious process running under user nobody for do-agent

April 9, 2019 296 views
Monitoring Firewall Security CentOS

Hi!

I have a VPS with CentOS 7 and CWP installed on it. CWP has the CSF firewall and the lfd send me email alerts a lot during a day because of the do-agent. I don't want to disable do-agent because it is for monitoring. I don't want to disabel the email alerts as well. Is there any way to stop lfd alerting me because of the do-agent?

The alert is:
Suspicious process running under user nobody

Time: Tue Apr 9 18:03:23 2019 +0200
PID: 3528 (Parent PID:3528)
Account: nobody
Uptime: 18128 seconds

Executable:

/opt/digitalocean/bin/do-agent

Command Line (often faked in exploits):

/opt/digitalocean/bin/do-agent -log_syslog

Network connections by the process (if any):

tcp: 207.154.193.90:36840 -> 151.101.1.7:443

Files open by the process (if any):

/dev/null
anon_inode:[eventpoll]
/run/digitalocean-agent/tufLocalStore

Memory maps by the process (if any):

00400000-006b1000 r-xp 00000000 fd:01 150995010 /opt/digitalocean/bin/do-agent
006b1000-008b4000 r--p 002b1000 fd:01 150995010 /opt/digitalocean/bin/do-agent
008b4000-008e5000 rw-p 004b4000 fd:01 150995010 /opt/digitalocean/bin/do-agent
008e5000-00908000 rw-p 00000000 00:00 0
01a81000-01aa2000 rw-p 00000000 00:00 0 [heap]
c000000000-c000002000 rw-p 00000000 00:00 0
c41ffd0000-c420000000 rw-p 00000000 00:00 0
c420000000-c420500000 rw-p 00000000 00:00 0
c420500000-c420600000 rw-p 00000000 00:00 0
7f2fa8000000-7f2fa8021000 rw-p 00000000 00:00 0
7f2fa8021000-7f2fac000000 ---p 00000000 00:00 0
7f2faf7ff000-7f2faf800000 ---p 00000000 00:00 0
7f2faf800000-7f2fb0000000 rw-p 00000000 00:00 0
7f2fb0000000-7f2fb0021000 rw-p 00000000 00:00 0
7f2fb0021000-7f2fb4000000 ---p 00000000 00:00 0
7f2fb423f000-7f2fb4240000 ---p 00000000 00:00 0
7f2fb4240000-7f2fb4ba0000 rw-p 00000000 00:00 0
7f2fb4ba0000-7f2fb4ba1000 ---p 00000000 00:00 0
7f2fb4ba1000-7f2fb53a1000 rw-p 00000000 00:00 0
7f2fb53a1000-7f2fb53a2000 ---p 00000000 00:00 0
7f2fb53a2000-7f2fb5ba2000 rw-p 00000000 00:00 0
7f2fb5ba2000-7f2fb5ba3000 ---p 00000000 00:00 0
7f2fb5ba3000-7f2fb63a3000 rw-p 00000000 00:00 0
7f2fb63a3000-7f2fb6565000 r-xp 00000000 fd:01 88224 /usr/lib64/libc-2.17.so
7f2fb6565000-7f2fb6765000 ---p 001c2000 fd:01 88224 /usr/lib64/libc-2.17.so
7f2fb6765000-7f2fb6769000 r--p 001c2000 fd:01 88224 /usr/lib64/libc-2.17.so
7f2fb6769000-7f2fb676b000 rw-p 001c6000 fd:01 88224 /usr/lib64/libc-2.17.so
7f2fb676b000-7f2fb6770000 rw-p 00000000 00:00 0
7f2fb6770000-7f2fb6787000 r-xp 00000000 fd:01 88232 /usr/lib64/libpthread-2.17.so
7f2fb6787000-7f2fb6986000 ---p 00017000 fd:01 88232 /usr/lib64/libpthread-2.17.so
7f2fb6986000-7f2fb6987000 r--p 00016000 fd:01 88232 /usr/lib64/libpthread-2.17.so
7f2fb6987000-7f2fb6988000 rw-p 00017000 fd:01 88232 /usr/lib64/libpthread-2.17.so
7f2fb6988000-7f2fb698c000 rw-p 00000000 00:00 0
7f2fb698c000-7f2fb69ae000 r-xp 00000000 fd:01 88217 /usr/lib64/ld-2.17.so
7f2fb6a8e000-7f2fb6a9e000 r--s 00000000 00:14 29184 /run/digitalocean-agent/tufLocalStore
7f2fb6a9e000-7f2fb6ba1000 rw-p 00000000 00:00 0
7f2fb6bac000-7f2fb6bad000 rw-p 00000000 00:00 0
7f2fb6bad000-7f2fb6bae000 r--p 00021000 fd:01 88217 /usr/lib64/ld-2.17.so
7f2fb6bae000-7f2fb6baf000 rw-p 00022000 fd:01 88217 /usr/lib64/ld-2.17.so
7f2fb6baf000-7f2fb6bb0000 rw-p 00000000 00:00 0
7ffdc3bff000-7ffdc3c20000 rw-p 00000000 00:00 0 [stack]
7ffdc3df2000-7ffdc3df4000 r-xp 00000000 00:00 0 [vdso]
ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]

2 Answers
castorland April 21, 2019
Accepted Answer

Yes, that's right. I found the solution here: http://wiki.centos-webpanel.com/csflfd-firewall-configuration

1) Login with SSH
2) Edit the file /etc/csf/csf.pignore (e.g. sudo nano /etc/csf/csf.pignore)
3) At the bottom add this line: exe:/opt/digitalocean/bin/do-agent
4) Restart CSF firewall

That's it!

I'm also getting this report with the same setup as you. I assume we need to put an exception somewhere since it seems like a legit digitalocean process, maybe in the CSF somewhere?

Have another answer? Share your knowledge.