Is there an ntop virus for Linux?
Michael Butash
michael at butash.net
Wed Jul 29 12:41:44 MST 2009
Not that I know of, and I find it hard to believe ntop would start
default on any distro, especially debian. Must have got in via another
odd dependency. It's typically a standalone app and webserver of its
own for diagnosing tcp/udp application flows from the flag level, not
typically used by most outside of networking folk. I'm not sure it even
offers a direct api for another app to use unless an app is scraping, I
suppose its possible another has it as a dependency.
It usually is stable under low loads, so if it's freaking out, either
its a bad build, you have a lot of broadcast/unicast flooding occurring
that it's seeing, or "normal" traffic of your own its crunching on.
I've killed it with gratuitous bittorrent connections on a slow test
box.
What does it show when you http to:
http://localhost:3000
Should be default port. If you get curious, maybe you should. :)
-mb
On Wed, 2009-07-29 at 11:19 -0700, Mark Phillips wrote:
> No, nothing that I am aware of.
>
> I disabled ntop from init.d, rebooted, and the world did not come to
> an end...;-).
>
> Does VMware or VirtualBox depend on ntop in some way? I have those
> installed for my Windows partition, but I don't use them because my
> po' lil' Pentium IV has a hard time keeping up with both Linux and XP
> at the same time. I also couldn't get USB and network to work with
> them, so my dream of running iTunes on Linux (via VMware/VirtualBox
> and XP) did not come to fruition. Perhaps they installed ntop?
>
> Mark
>
> On Wed, Jul 29, 2009 at 10:46 AM, Bob Elzer <bob.elzer at gmail.com>
> wrote:
> I agree with Hans, did you turn on any monitoring programs ?
> Stat gathering, big brother, hobbit, nagios anything of this
> nature ?
>
>
>
> ______________________________________________________
> From: plug-discuss-bounces at lists.plug.phoenix.az.us
> [mailto:plug-discuss-bounces at lists.plug.phoenix.az.us]
> On Behalf Of Mark Phillips
> Sent: Wednesday, July 29, 2009 9:59 AM
> To: Main PLUG discussion list
> Subject: Re: Is there an ntop virus for Linux?
>
>
>
>
>
>
> On Wed, Jul 29, 2009 at 9:40 AM, Ryan Rix
> <phrkonaleash at gmail.com> wrote:
>
> Mark Phillips wrote:
> > Whenever I start my Debian Lenny testing
> laptop a process called ntop starts
> > and quickly consumes 99% of my cpu. If I
> kill the process, nothing happens.
> > If I run ntop from the command line, it does
> what the man page says it does,
> > and hardly consumes any resources at all.
> There is an ntop in /etc/init.d/,
> > and when I run /etc/init.s/ntop it consumes
> very few resources - the script
> > calls /usr/sbin/ntop. There are no entries
> in the /var/log/ntop/access.log
> > file.
> >
> > My questions are:
> >
> > Do I have a virus masquerading as ntop, and
> if so how do I remove it? I
> > googled "linux ntop virus" and did not come
> up with anything useful.
> >
> > Can I just remove ntop from /etc/init.d/ ?
> >
> > How do I find out if another startup program
> needs ntop?
> >
> > Is ntop necessary at startup?
> >
>
>
> Are you monitoring your network usage?
> if not, probably safe to remove the /etc/rc.d/
> hooks for it for the
> runlevel you are booting into.
>
> /etc/rc.d/rc5/XX-ntop <-- look for something
> like that if you are
> booting into runlevel 5 (full desktop)
>
> all in all, removing init.d scripts is a bad
> idea.
>
> If the init scripts in debian use LSB, the
> headers will tell you which
> (if any) require ntop.
>
> Does ps -aux list any options for ntop when
> it's run from init?
>
> Ryan
>
> Ryan,
>
> I am not monitoring network usage. This weird behavior
> just started a week or so ago.
>
> Here is what ps says when I start ntop:
>
> narwhale:/home/mark# ps aux | grep ntop
> ntop 10943 4.5 2.6 197824 27136 ? Ssl
> 09:49 0:00 /usr/sbin/ntop -d -L -u ntop
> -P /var/lib/ntop
> --access-log-file /var/log/ntop/access.log -i
> eth0,eth1 -p /etc/ntop/protocol.list -O /var/log/ntop
>
> I ran grep -nr "ntop" /etc/init.d and all references
> to ntop are from the ntop script, so I assume none of
> the other init.d scripts are calling ntop.
>
> Any other thoughts, or should I just disable ntop from
> init.d:
> update-rc.d -f ntop remove
> Mark
>
> P.S. Since I started ntop to check the output from ps,
> I let it run. And sure enough, after a few minutes,
> the fan started blowing hard and CPU usage went over
> 90% for ntop. Now I am really confused....I guess the
> real question is why do I need ntop to start my
> laptop?
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
More information about the PLUG-discuss
mailing list