Is there an ntop virus for Linux?

Bob Elzer bob.elzer at gmail.com
Wed Jul 29 10:46:40 MST 2009 

I agree with Hans, did you turn on any monitoring programs ? Stat gathering,
big brother, hobbit, nagios anything of this nature ?
 


  _____  

From: plug-discuss-bounces at lists.plug.phoenix.az.us
[mailto:plug-discuss-bounces at lists.plug.phoenix.az.us] On Behalf Of Mark
Phillips
Sent: Wednesday, July 29, 2009 9:59 AM
To: Main PLUG discussion list
Subject: Re: Is there an ntop virus for Linux?




On Wed, Jul 29, 2009 at 9:40 AM, Ryan Rix <phrkonaleash at gmail.com> wrote:


Mark Phillips wrote:
> Whenever I start my Debian Lenny testing laptop a process called ntop
starts
> and quickly consumes 99% of my cpu. If I kill the process, nothing
happens.
> If I run ntop from the command line, it does what the man page says it
does,
> and hardly consumes any resources at all. There is an ntop in
/etc/init.d/,
> and when I run /etc/init.s/ntop it consumes very few resources - the
script
> calls /usr/sbin/ntop. There are no entries in the /var/log/ntop/access.log
> file.
>
> My questions are:
>
> Do I have a virus masquerading as ntop, and if so how do I remove it? I
> googled "linux ntop virus" and did not come up with anything useful.
>
> Can I just remove ntop from /etc/init.d/ ?
>
> How do I find out if another startup program needs ntop?
>
> Is ntop necessary at startup?
>


Are you monitoring your network usage?
if not, probably safe to remove the /etc/rc.d/ hooks for it for the
runlevel you are booting into.

/etc/rc.d/rc5/XX-ntop <-- look for something like that if you are
booting into runlevel 5 (full desktop)

all in all, removing init.d scripts is a bad idea.

If the init scripts in debian use LSB, the headers will tell you which
(if any) require ntop.

Does ps -aux list any options for ntop when it's run from init?

Ryan


Ryan,
 
I am not monitoring network usage. This weird behavior just started a week
or so ago.
 
Here is what ps says when I start ntop:
 
narwhale:/home/mark# ps aux | grep ntop
ntop     10943  4.5  2.6 197824 27136 ?        Ssl  09:49   0:00
/usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --access-log-file
/var/log/ntop/access.log -i eth0,eth1 -p /etc/ntop/protocol.list -O
/var/log/ntop

I ran grep -nr "ntop" /etc/init.d and all references to ntop are from the
ntop script, so I assume none of the other init.d scripts are calling ntop.
 
Any other thoughts, or should I just disable ntop from init.d:

update-rc.d -f  ntop remove 
Mark

P.S. Since I started ntop to check the output from ps, I let it run. And
sure enough, after a few minutes, the fan started blowing hard and CPU usage
went over 90% for ntop. Now I am really confused....I guess the real
question is why do I need ntop to start my laptop?



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090729/f6f71157/attachment.htm

More information about the PLUG-discuss mailing list