Linux user account 'nagent' deleted and re-added in secure log

security centos logging

Solution 1:

You can begin by search if the user nagent is owner of files on your system:

find / -user nagent -iname "*" -exec ls -l {} \;

And you can look at if some process have been launched and not again stopped by this user:

ps -ef | grep nagent

In yours logs, you can look at the activity of your server around the 27 october 21:10, something like this:

cat /var/log/<your file> | grep "Oct 27 21:1"

EDIT 1: Some files has been modified/created during the same time of the userdel and useradd:

-rw-r--r--. 1 root root  615 Oct 27 21:11 nagent.conf
-rw-r--r--. 1 root root  615 Oct 27 21:11 nagent.conf.Save
-rwxr-xr-x. 1 root root 5510 Oct 27 21:11 nagent_download.sh
-rwxr-xr-x. 1 root root 1665 Oct 27 21:11 uninstall.sh

Can you read nagent.conf and nagent_download.sh ?

EDIT 2: Can you verify if you have a process which listen on the TCP port 80:

 netstat -antp | grep 80

Have you done a update/upgrade maybe the 27 oct 21h ?

EDIT 3:

From the netstat command, you have the port 80 opened by a process with PID of 2027:java. Moreover, this process opens the 8089 and the 443 which has a connection with a machine :

  ::ffff:192.168.1.18:443     ::ffff:70.192.192.180:10757 ESTABLISHED     2027/java

To have more infos, you can do ps -ef | grep 2027 and see details on the commands and the parent process of it.

From your ps command, you have a service named nagent in /etc/init.d/nagent

In conclusion, you or someone have installed the agent of the N-central software (the files and process match with the doc done by @ojs in his solution). Now, you must search who and how this software has been installed.

To know which package has been installed: ls -ltr /var/lib/dpkg/info/*.list

You can look the .bash_history in the home directory of the users of your server

Solution 2:

This seems to point to product by Solarwinds N-able. At least they used to use /home/nagent and their packages were named nagent-rhel. I found reference to this in an old document from them.

Solution 3:

Did you install Neptune?

nagent might be the user for the Neptune agent, added automatically when you install the package. By default the user is neptuneioagent, but your distro might have changed the user name.

Related

Is being a Tor exit node dangerous?
Finding current location of the user in Android
iTerm 2 ZSH colors/themes not showed correctly
Alt-tab back to the host while using TeamViewer?
Sorting rows by columns in JTable
Windows 10 shuts down after being in sleep mode overnight
Windows 10 is not finding all my applications
After Windows update 1903 Sticky Notes opens in different windows
Laptop wakes up when I unplug/power off any usb devices
Random without repetition?
Installing Fedora: does it matter what I make the hostname?
VirtualBox: Host OS processor is spiked while guest OS virtual processor is idle?