DigitalOcean

Report this

What is the reason for this report?
Question

lfd Suspicious process running under user nobody for do-agent

Posted on April 9, 2019
Security
CentOS
Monitoring
Firewall
Gábor Hódos

By Gábor Hódos

Hi!

I have a VPS with CentOS 7 and CWP installed on it. CWP has the CSF firewall and the lfd send me email alerts a lot during a day because of the do-agent. I don’t want to disable do-agent because it is for monitoring. I don’t want to disabel the email alerts as well. Is there any way to stop lfd alerting me because of the do-agent?

The alert is: Suspicious process running under user nobody

Time: Tue Apr 9 18:03:23 2019 +0200 PID: 3528 (Parent PID:3528) Account: nobody Uptime: 18128 seconds

Executable:

/opt/digitalocean/bin/do-agent

Command Line (often faked in exploits):

/opt/digitalocean/bin/do-agent -log_syslog

Network connections by the process (if any):

tcp: 207.154.193.90:36840 -> 151.101.1.7:443

Files open by the process (if any):

/dev/null anon_inode:[eventpoll] /run/digitalocean-agent/tufLocalStore

Memory maps by the process (if any):

00400000-006b1000 r-xp 00000000 fd:01 150995010 /opt/digitalocean/bin/do-agent 006b1000-008b4000 r–p 002b1000 fd:01 150995010 /opt/digitalocean/bin/do-agent 008b4000-008e5000 rw-p 004b4000 fd:01 150995010 /opt/digitalocean/bin/do-agent 008e5000-00908000 rw-p 00000000 00:00 0 01a81000-01aa2000 rw-p 00000000 00:00 0 [heap] c000000000-c000002000 rw-p 00000000 00:00 0 c41ffd0000-c420000000 rw-p 00000000 00:00 0 c420000000-c420500000 rw-p 00000000 00:00 0 c420500000-c420600000 rw-p 00000000 00:00 0 7f2fa8000000-7f2fa8021000 rw-p 00000000 00:00 0 7f2fa8021000-7f2fac000000 —p 00000000 00:00 0 7f2faf7ff000-7f2faf800000 —p 00000000 00:00 0 7f2faf800000-7f2fb0000000 rw-p 00000000 00:00 0 7f2fb0000000-7f2fb0021000 rw-p 00000000 00:00 0 7f2fb0021000-7f2fb4000000 —p 00000000 00:00 0 7f2fb423f000-7f2fb4240000 —p 00000000 00:00 0 7f2fb4240000-7f2fb4ba0000 rw-p 00000000 00:00 0 7f2fb4ba0000-7f2fb4ba1000 —p 00000000 00:00 0 7f2fb4ba1000-7f2fb53a1000 rw-p 00000000 00:00 0 7f2fb53a1000-7f2fb53a2000 —p 00000000 00:00 0 7f2fb53a2000-7f2fb5ba2000 rw-p 00000000 00:00 0 7f2fb5ba2000-7f2fb5ba3000 —p 00000000 00:00 0 7f2fb5ba3000-7f2fb63a3000 rw-p 00000000 00:00 0 7f2fb63a3000-7f2fb6565000 r-xp 00000000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb6565000-7f2fb6765000 —p 001c2000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb6765000-7f2fb6769000 r–p 001c2000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb6769000-7f2fb676b000 rw-p 001c6000 fd:01 88224 /usr/lib64/libc-2.17.so 7f2fb676b000-7f2fb6770000 rw-p 00000000 00:00 0 7f2fb6770000-7f2fb6787000 r-xp 00000000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6787000-7f2fb6986000 —p 00017000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6986000-7f2fb6987000 r–p 00016000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6987000-7f2fb6988000 rw-p 00017000 fd:01 88232 /usr/lib64/libpthread-2.17.so 7f2fb6988000-7f2fb698c000 rw-p 00000000 00:00 0 7f2fb698c000-7f2fb69ae000 r-xp 00000000 fd:01 88217 /usr/lib64/ld-2.17.so 7f2fb6a8e000-7f2fb6a9e000 r–s 00000000 00:14 29184 /run/digitalocean-agent/tufLocalStore 7f2fb6a9e000-7f2fb6ba1000 rw-p 00000000 00:00 0 7f2fb6bac000-7f2fb6bad000 rw-p 00000000 00:00 0 7f2fb6bad000-7f2fb6bae000 r–p 00021000 fd:01 88217 /usr/lib64/ld-2.17.so 7f2fb6bae000-7f2fb6baf000 rw-p 00022000 fd:01 88217 /usr/lib64/ld-2.17.so 7f2fb6baf000-7f2fb6bb0000 rw-p 00000000 00:00 0 7ffdc3bff000-7ffdc3c20000 rw-p 00000000 00:00 0 [stack] 7ffdc3df2000-7ffdc3df4000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall]



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Gábor Hódos
Gábor Hódos
April 21, 2019

Accepted Answer

Yes, that’s right. I found the solution here: http://wiki.centos-webpanel.com/csflfd-firewall-configuration

  1. Login with SSH
  2. Edit the file /etc/csf/csf.pignore (e.g. sudo nano /etc/csf/csf.pignore)
  3. At the bottom add this line: exe:/opt/digitalocean/bin/do-agent
  4. Restart CSF firewall

That’s it!

0
tmcmanus
tmcmanus
April 19, 2019

I’m also getting this report with the same setup as you. I assume we need to put an exception somewhere since it seems like a legit digitalocean process, maybe in the CSF somewhere?

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and SMBs

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2025 DigitalOcean, LLC.Sitemap.