jcphoto
By:
jcphoto

Suspicious Process Running Under User "Nobody" ?

August 10, 2017 477 views
Control Panels Server Optimization Security Data Analysis DigitalOcean Logging CentOS

I have WHM / Cpanel installed on a CentOS droplet, I have also configured CSF firewall. I'm getting logs saying that there are suspicious processes running under user "Nobody" which seem to be Digital Ocean-related. Is there anything I should do or should I just ignore it? Example logs:

Time: Thu Aug 10 16:24:42 2017 -0700
PID: 953 (Parent PID:953)
Account: nobody
Uptime: 61533 seconds

Executable:

/opt/digitalocean/bin/do-agent

Command Line (often faked in exploits):

/opt/digitalocean/bin/do-agent -log_syslog

Network connections by the process (if any):

tcp: MY SERVER IP -> 151.101.129.7:443

Files open by the process (if any):

/dev/null
anon_inode:[eventpoll]
/run/digitalocean-agent/tufLocalStore
/dev/urandom

Memory maps by the process (if any):

00400000-006b1000 r-xp 00000000 fd:01 529648 /opt/digitalocean/bin/do-agent
006b1000-008b4000 r--p 002b1000 fd:01 529648 /opt/digitalocean/bin/do-agent
008b4000-008e5000 rw-p 004b4000 fd:01 529648 /opt/digitalocean/bin/do-agent
008e5000-00908000 rw-p 00000000 00:00 0
00b3b000-00b5c000 rw-p 00000000 00:00 0 [heap]
c000000000-c000002000 rw-p 00000000 00:00 0
c41ffd0000-c420200000 rw-p 00000000 00:00 0 [stack:28837]
c420200000-c420600000 rw-p 00000000 00:00 0
7f20d8000000-7f20d8021000 rw-p 00000000 00:00 0
7f20d8021000-7f20dc000000 ---p 00000000 00:00 0
7f20e0000000-7f20e0021000 rw-p 00000000 00:00 0
7f20e0021000-7f20e4000000 ---p 00000000 00:00 0
7f20e6028000-7f20e6029000 ---p 00000000 00:00 0
7f20e6029000-7f20e6989000 rw-p 00000000 00:00 0
7f20e6989000-7f20e698a000 ---p 00000000 00:00 0
7f20e698a000-7f20e718a000 rw-p 00000000 00:00 0 [stack:994]

2 Answers

do-agent logs fun things like CPU usage, network input/output, IO usage for the usage panel for your droplet.

Hi,

It's really informative article. Longtime i try to find this answer,

Thanks

Have another answer? Share your knowledge.