Is there an ntop virus for Linux?

Michael Butash michael at butash.net
Wed Jul 29 10:23:30 MST 2009 

Ntop is definitely not (traditionally) a virus, but unless you do some
basic configuration, it typically doesn't even start as a service
(requires an admin password to start).  Maybe other distro's may be
different, but it's that way at least on ubuntu.

I'd say just apt-get|yum remove ntop if you really don't need/want it,
worst case simply disable the service.  Not much good unless you're
doing protocol analysis off a switch span port or are feeding it Netflow
data from an infrastructure switch or router.

-mb


On Wed, 2009-07-29 at 10:13 -0700, Ryan Rix wrote:
> Mark Phillips wrote:
> > On Wed, Jul 29, 2009 at 9:40 AM, Ryan Rix <phrkonaleash at gmail.com> wrote:
> > 
> >> Mark Phillips wrote:
> >>> Whenever I start my Debian Lenny testing laptop a process called ntop
> >> starts
> >>> and quickly consumes 99% of my cpu. If I kill the process, nothing
> >> happens.
> >>> If I run ntop from the command line, it does what the man page says it
> >> does,
> >>> and hardly consumes any resources at all. There is an ntop in
> >> /etc/init.d/,
> >>> and when I run /etc/init.s/ntop it consumes very few resources - the
> >> script
> >>> calls /usr/sbin/ntop. There are no entries in the
> >> /var/log/ntop/access.log
> >>> file.
> >>>
> >>> My questions are:
> >>>
> >>> Do I have a virus masquerading as ntop, and if so how do I remove it? I
> >>> googled "linux ntop virus" and did not come up with anything useful.
> >>>
> >>> Can I just remove ntop from /etc/init.d/ ?
> >>>
> >>> How do I find out if another startup program needs ntop?
> >>>
> >>> Is ntop necessary at startup?
> >>>
> >> Are you monitoring your network usage?
> >> if not, probably safe to remove the /etc/rc.d/ hooks for it for the
> >> runlevel you are booting into.
> >>
> >> /etc/rc.d/rc5/XX-ntop <-- look for something like that if you are
> >> booting into runlevel 5 (full desktop)
> >>
> >> all in all, removing init.d scripts is a bad idea.
> >>
> >> If the init scripts in debian use LSB, the headers will tell you which
> >> (if any) require ntop.
> >>
> >> Does ps -aux list any options for ntop when it's run from init?
> >>
> >> Ryan
> > 
> > 
> > Ryan,
> > 
> > I am not monitoring network usage. This weird behavior just started a week
> > or so ago.
> > 
> > Here is what ps says when I start ntop:
> > 
> > narwhale:/home/mark# ps aux | grep ntop
> > ntop     10943  4.5  2.6 197824 27136 ?        Ssl  09:49   0:00
> > /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --access-log-file
> > /var/log/ntop/access.log -i eth0,eth1 -p /etc/ntop/protocol.list -O
> > /var/log/ntop
> 
> sounds like it's just running as a standard daemon
> 
> > 
> > I ran grep -nr "ntop" /etc/init.d and all references to ntop are from the
> > ntop script, so I assume none of the other init.d scripts are calling ntop.
> > 
> > Any other thoughts, or should I just disable ntop from init.d:
> > 
> > update-rc.d -f  ntop remove
> 
> If you know you don't need it and know how to bring it back if it breaks 
> something, feel free :)
> 
> > 
> > Mark
> > 
> > P.S. Since I started ntop to check the output from ps, I let it run. And
> > sure enough, after a few minutes, the fan started blowing hard and CPU usage
> > went over 90% for ntop. Now I am really confused....I guess the real
> > question is why do I need ntop to start my laptop?
> >
> 
> Running a firewall perhaps with some autoblocking doohicky? I have no 
> idea...
> 
> Ryan
> 
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>

More information about the PLUG-discuss mailing list