double output in command line

Humberto Blanco Castillo

unread,

Apr 22, 2020, 10:58:44 AM4/22/20

to Linux Users Group

Hi

I have a serious mistake wiyh my console executing some commands, for example ls

[user@repositorio etc]# ps -ef | grep yum

user 11514 4496 0 08:28 pts/0 00:00:00 grep --color=auto yum

repeat the output, any idea?

Jeremiah Bess

unread,

Apr 22, 2020, 11:04:32 AM4/22/20

to LUG

In that example grep is finding you running grep in the output of the ps command. The PID/PPID are the same, so it's the same process it's displaying. Not sure why it's doubled on the output. Can you give some other examples? Is it just when you run grep, or is everything duplicated in the ps output without grep?

Jeremiah Bess

--
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to linuxus...@googlegroups.com
To unsubscribe, send email to linuxusersgro...@googlegroups.com
For more options, visit our group at http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups "Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linuxusersgro...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/83af3713-9a64-4be8-bef8-e5b57b2ed988%40googlegroups.com.

Daniel Eggleston

unread,

Apr 22, 2020, 11:13:24 AM4/22/20

to Linux Users Group

What returns if you run 'ps -ef | sort'?

From: linuxus...@googlegroups.com <linuxus...@googlegroups.com> on behalf of Humberto Blanco Castillo <hbla...@gmail.com>
Sent: Wednesday, April 22, 2020 8:34 AM
To: Linux Users Group <linuxus...@googlegroups.com>
Subject: [lug:18639] double output in command line

--

Humberto Blanco Castillo

unread,

Apr 22, 2020, 11:20:44 AM4/22/20

to Linux Users Group

this is the output

[user@repositorio var]# ps -ef | sort

apache 9496 1158 0 08:59 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9564 1158 0 09:19 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9567 1158 0 09:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9568 1158 0 09:20 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9854 1158 0 09:34 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9859 1158 0 09:36 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9883 1158 0 09:50 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9885 1158 0 09:50 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9922 1158 0 10:05 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

apache 9927 1158 0 10:06 ? 00:00:00 /usr/sbin/httpd -DFOREGROUND

chrony 884 1 0 08:35 ? 00:00:00 /usr/sbin/chronyd

dbus 867 1 0 08:35 ? 00:00:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

polkitd 866 1 0 08:35 ? 00:00:00 /usr/lib/polkit-1/polkitd --no-debug

postfix 1734 1673 0 08:35 ? 00:00:00 qmgr -l -t unix -u

and other lines

El miércoles, 22 de abril de 2020, 10:13:24 (UTC-5), Daniel Eggleston escribió:

What returns if you run 'ps -ef | sort'?

From: linuxus...@googlegroups.com <linuxus...@googlegroups.com> on behalf of Humberto Blanco Castillo <hbla...@gmail.com>
Sent: Wednesday, April 22, 2020 8:34 AM
To: Linux Users Group <linuxus...@googlegroups.com>
Subject: [lug:18639] double output in command line

Hi
I have a serious mistake wiyh my console executing some commands, for example ls

[user@repositorio etc]# ps -ef | grep yum

user 11514 4496 0 08:28 pts/0 00:00:00 grep --color=auto yum

user 11514 4496 0 08:28 pts/0 00:00:00 grep --color=auto yum

repeat the output, any idea?

--
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to linuxus...@googlegroups.com

To unsubscribe, send email to linuxus...@googlegroups.com

For more options, visit our group at http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups "Linux Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to linuxus...@googlegroups.com.

Daniel Eggleston

unread,

Apr 22, 2020, 12:13:59 PM4/22/20

to Linux Users Group

Fascinating. I've never seen that before -- I'm guessing you have an alias or something for ps.

Can you run these?

alias ps

which ps

typeset -f ps

From: linuxus...@googlegroups.com <linuxus...@googlegroups.com> on behalf of Humberto Blanco Castillo <hbla...@gmail.com>

Sent: Wednesday, April 22, 2020 10:20 AM

To: Linux Users Group <linuxus...@googlegroups.com>

Subject: Re: [lug:18643] double output in command line

To unsubscribe, send email to linuxusersgro...@googlegroups.com

For more options, visit our group at http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups "Linux Users Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to linuxusersgro...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/04a0ee2f-6406-4768-b6ca-c9cf25d6fafc%40googlegroups.com.

Humberto Blanco Castillo

unread,

Apr 22, 2020, 12:53:28 PM4/22/20

to Linux Users Group

@daniel, this is the output

[user@repositorio /]# which ps

/usr/bin/ps

[user@repositorio /]# typeset -f ps

ps ()

{

proc_name=$(/bin/ps $@);

proc_name=$(echo "$proc_name" | sed -e '/linux_amd64/d');

proc_name=$(echo "$proc_name" | sed -e '/linux_kill/d');

proc_name=$(echo "$proc_name" | sed -e '/linux.service/d');

proc_name=$(echo "$proc_name" | sed -e '/System.img.config/d');

proc_name=$(echo "$proc_name" | sed -e '/linux.sh/d');

proc_name=$(echo "$proc_name" | sed -e '/32679/d');

proc_name=$(echo "$proc_name" | sed -e '/41414/d');

proc_name=$(echo "$proc_name" | sed -e '/.img/d');

proc_name=$(echo "$proc_name" | sed -e '/libdlrpcld.so/d');

proc_name=$(echo "$proc_name" | sed -e '/id.services.conf/d');

proc_name=$(echo "$proc_name" | sed -e '/system-monitor/d');

proc_name=$(echo "$proc_name" | sed -e '/ifconfig.conf/d');

proc_name=$(echo "$proc_name" | sed -e '/sleep/d');

proc_name=$(echo "$proc_name" | sed -e '/seeintlog/d');

proc_name=$(echo "$proc_name" | sed -e '/bash_config/d');

echo "$proc_name"

}

[user@repositorio /]# alias

alias cp='cp -i'

alias egrep='egrep --color=auto'

alias fgrep='fgrep --color=auto'

alias grep='grep --color=auto'

alias l.='ls -d .* --color=auto'

alias ll='ls -l --color=auto'

alias ls='ls --color=auto'

alias mv='mv -i'

alias rm='rm -i'

alias which='alias | /usr/bin/which --tty-only --read-alias --show-dot --show-tilde'

Daniel Eggleston

unread,

Apr 22, 2020, 2:01:35 PM4/22/20

to Linux Users Group

That's an odd ps function, but wouldn't duplicate output the way you've described. The aliases look fine.

What happens if you redirect to a file?

ps -ef | grep yum > output; cat output

You could also try 'command ps -ef' to see if bypassing the function does anything (I notice it's invoking /bin/ps, but that should be the same utility as /usr/bin/ps).

From: linuxus...@googlegroups.com <linuxus...@googlegroups.com> on behalf of Humberto Blanco Castillo <hbla...@gmail.com>

Sent: Wednesday, April 22, 2020 11:53 AM

To: Linux Users Group <linuxus...@googlegroups.com>

Subject: [lug:18645] Re: double output in command line

--
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to linuxus...@googlegroups.com
To unsubscribe, send email to linuxusersgro...@googlegroups.com
For more options, visit our group at http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups "Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linuxusersgro...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/68f58c6a-c3dc-4e36-837d-3276ce7199f2%40googlegroups.com.

T S

unread,

May 20, 2020, 9:22:22 AM5/20/20

to Linux Users Group

I am afraid that is not your biggest problem.

take a look at https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

all those processes from your ps shows that your server was infected. I have just cleand mine, the same issue and doubling ps output was one of effects. As for PS you will have to reinstall it (apt-get install --reinstall procps)

but you need to clean up a lot - every script that is mentioned in your ps output, cron, rcX.d, init.d, sysctl.d

after month you have probably noticed that, but just in case someone else need it

Jeremiah Bess

unread,

May 20, 2020, 9:31:16 AM5/20/20

to LUG

Thanks for sharing TS, that's good information about some bad stuff.

Jeremiah Bess

--
--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to linuxus...@googlegroups.com
To unsubscribe, send email to linuxusersgro...@googlegroups.com
For more options, visit our group at http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups "Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linuxusersgro...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/c89e30ed-9afd-4cdf-8477-62c14dee2532%40googlegroups.com.

Mohammad Abdullah

unread,

May 20, 2020, 10:55:36 AM5/20/20

to linuxus...@googlegroups.com

On Wed, 20 May, 2020, 6:52 PM T S, <tomasz....@sportbase.pl> wrote:

I am afraid that is not your biggest problem.

take a look at https://intezer.com/blog/research/kaiji-new-chinese-linux-malware-turning-to-golang/

all those processes from your ps shows that your server was infected.

Please elaborate, how a linux server can be infected.

Abdullah

Jeremiah Bess

unread,

May 20, 2020, 11:04:40 AM5/20/20

to LUG

Contrary to popular disclaimers, Linix/Unix can be infected with malware, and sadly it happens all the time. In this case and per the article posted, it appears an attacker likely brute-forced one of your account passwords and gained access. After that, they installed malicious scripts that turn your host into a DDOS bot.

Jeremiah Bess

--

--
You received this message because you are subscribed to the Linux Users Group.
To post a message, send email to linuxus...@googlegroups.com
To unsubscribe, send email to linuxusersgro...@googlegroups.com
For more options, visit our group at http://groups.google.com/group/linuxusersgroup
References can be found at: http://goo.gl/anqri
Please remember to abide by our list rules (http://tinyurl.com/LUG-Rules)
---
You received this message because you are subscribed to the Google Groups "Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to linuxusersgro...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/CAE0Xz4ARFaHRL4bX3DmCxO%3D%2B%3DXsb_0s%2B0rHRObCD2o1om7oE4Q%40mail.gmail.com.

Mohammad Abdullah

unread,

May 20, 2020, 11:35:52 AM5/20/20

to linuxus...@googlegroups.com

So nothing is absolute. Good.

Abdullah

To view this discussion on the web visit https://groups.google.com/d/msgid/linuxusersgroup/CAN%2BraevNhCaNbCMsw6wHaMQAxLrR%3DubmwuLGufqS8G5ne4zWJg%40mail.gmail.com.

Reply all

Reply to author

Forward