You are not logged in.

Pages: 1

#1 2025-07-19 15:10:25

OneAndOnlyRoot
Member
Registered: 2025-01-01
Posts: 21

[SOLVED] Question about PS AUX

Hello,


So I heard about the malicous aur packages recently and as a precaution I ran ps aux | grep systemd-initd

Even tho I have no aur packages installed, I was suprised to see output tho looking roughly like
user   1200  0.0  0.0  7420  1135 pts/0  S+  15:56   0:00 grep --color=auto systemd-initd

Am I correct in thinking this is the grep process and NOT the malicous entry?
I am still fairly new to this side of Linux so am not always sure what I am looking for. Still learning about interpreting command output.

Thanks!

Last edited by OneAndOnlyRoot (2025-07-21 11:37:54)

Offline

#2 2025-07-19 15:20:33

twelveeighty
Member
Registered: 2011-09-04
Posts: 1,410

Re: [SOLVED] Question about PS AUX

What "malicious" AUR packages? Do you have a source or reference for that information?

If you use `man ps`, it will tell you what each column in that output is. You'll notice that the last column is the full command line of process 1903, which is `grep`.

Offline

#3 2025-07-19 15:22:31

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,515

Re: [SOLVED] Question about PS AUX

You are correct.   That is the process that is running the grep command you had just requested be run.

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

Offline

#4 2025-07-19 15:24:50

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,515

Re: [SOLVED] Question about PS AUX

twelveeighty wrote:

What "malicious" AUR packages? Do you have a source or reference for that information?

If you use `man ps`, it will tell you what each column in that output is. You'll notice that the last column is the full command line of process 1903, which is `grep`.

It seems to be true.  There is a draft announcement in the works; I do not know the specifics at this point.  When it is released, there will be a sticky post on the forums linking to it.

Edit:  Here is an article: https://www.bleepingcomputer.com/news/s … epository/

Last edited by ewaller (2025-07-19 15:27:13)

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

Offline

#5 2025-07-19 15:29:24

OneAndOnlyRoot
Member
Registered: 2025-01-01
Posts: 21

Re: [SOLVED] Question about PS AUX

I read it here: https://www.bleepingcomputer.com/news/s … t-malware/

ewaller wrote:

You are correct.   That is the process that is running the grep command you had just requested be run.

Thanks for confirming. Generally, would there be multiple entries if said thing was found? So 1 being grep and the other being the actual thing?

Offline

#6 2025-07-19 15:31:45

ewaller
Administrator
From: Pasadena, CA
Registered: 2009-07-13
Posts: 20,515

Re: [SOLVED] Question about PS AUX

OneAndOnlyRoot wrote:

enerally, would there be multiple entries if said thing was found? So 1 being grep and the other being the actual thing?

Absolutely correct.

Nothing is too wonderful to be true, if it be consistent with the laws of nature -- Michael Faraday
The shortest way to ruin a country is to give power to demagogues.— Dionysius of Halicarnassus
---
How to Ask Questions the Smart Way

Offline

#7 2025-07-19 15:32:35

OneAndOnlyRoot
Member
Registered: 2025-01-01
Posts: 21

Re: [SOLVED] Question about PS AUX

ewaller wrote:
OneAndOnlyRoot wrote:

enerally, would there be multiple entries if said thing was found? So 1 being grep and the other being the actual thing?

Absolutely correct.

Thanks again, appreciate your help!

Offline

#8 2025-07-19 19:05:04

seth
Member
From: Don't DM me only for attention
Registered: 2012-09-03
Posts: 70,906

Re: [SOLVED] Question about PS AUX

"man pgrep" wink

Please always remember to mark resolved threads by editing your initial posts subject - so others will know that there's no task left, but maybe a solution to find.
Thanks.

https://www.bleepingcomputer.com/news/s … epository/

Collected data includes details such as the date and time, machine's ID, CPU information, Pacman (package manager) details, and the outputs of the "uname -a" and "systemctl list-units" commands.

Clowns could probably have just run a survey here and would have gotten more data than with those three AUR packages roll

How to upload text · How to boot w/o GUI · Disable Windows Fast-Start! · Fix your xinitrc

Online

#9 2025-07-20 21:00:49

d-koc
Member
Registered: 2023-08-20
Posts: 10

Re: [SOLVED] Question about PS AUX

Found this thread searching as I was also curious if there was any discussion here about the incident.

ewaller wrote:

That article's from 2018; an article about the recent incident can be read here:
https://www.phoronix.com/news/Arch-Linux-Malicious-AURs
Edit: Probably meant to link this article:
https://www.bleepingcomputer.com/news/s … t-malware/

An announcement message on the aur-general mailing list (which I admit I only learned of from that article) can be read here:
https://lists.archlinux.org/archives/li … ZYE626IFJ/

Archived copies of the AUR pages for the malicious packages can be found here:
https://web.archive.org/web/20250718135 … atched-bin
https://web.archive.org/web/20250718142 … lf-fix-bin
https://web.archive.org/web/20250718140 … -patch-bin

Last edited by d-koc (2025-07-20 21:07:25)

Offline

Pages: 1

Board footer

Powered by FluxBB