Ntop is definitely not (traditionally) a virus, but unless you do some basic configuration, it typically doesn't even start as a service (requires an admin password to start). Maybe other distro's may be different, but it's that way at least on ubuntu. I'd say just apt-get|yum remove ntop if you really don't need/want it, worst case simply disable the service. Not much good unless you're doing protocol analysis off a switch span port or are feeding it Netflow data from an infrastructure switch or router. -mb On Wed, 2009-07-29 at 10:13 -0700, Ryan Rix wrote: > Mark Phillips wrote: > > On Wed, Jul 29, 2009 at 9:40 AM, Ryan Rix wrote: > > > >> Mark Phillips wrote: > >>> Whenever I start my Debian Lenny testing laptop a process called ntop > >> starts > >>> and quickly consumes 99% of my cpu. If I kill the process, nothing > >> happens. > >>> If I run ntop from the command line, it does what the man page says it > >> does, > >>> and hardly consumes any resources at all. There is an ntop in > >> /etc/init.d/, > >>> and when I run /etc/init.s/ntop it consumes very few resources - the > >> script > >>> calls /usr/sbin/ntop. There are no entries in the > >> /var/log/ntop/access.log > >>> file. > >>> > >>> My questions are: > >>> > >>> Do I have a virus masquerading as ntop, and if so how do I remove it? I > >>> googled "linux ntop virus" and did not come up with anything useful. > >>> > >>> Can I just remove ntop from /etc/init.d/ ? > >>> > >>> How do I find out if another startup program needs ntop? > >>> > >>> Is ntop necessary at startup? > >>> > >> Are you monitoring your network usage? > >> if not, probably safe to remove the /etc/rc.d/ hooks for it for the > >> runlevel you are booting into. > >> > >> /etc/rc.d/rc5/XX-ntop <-- look for something like that if you are > >> booting into runlevel 5 (full desktop) > >> > >> all in all, removing init.d scripts is a bad idea. > >> > >> If the init scripts in debian use LSB, the headers will tell you which > >> (if any) require ntop. > >> > >> Does ps -aux list any options for ntop when it's run from init? > >> > >> Ryan > > > > > > Ryan, > > > > I am not monitoring network usage. This weird behavior just started a week > > or so ago. > > > > Here is what ps says when I start ntop: > > > > narwhale:/home/mark# ps aux | grep ntop > > ntop 10943 4.5 2.6 197824 27136 ? Ssl 09:49 0:00 > > /usr/sbin/ntop -d -L -u ntop -P /var/lib/ntop --access-log-file > > /var/log/ntop/access.log -i eth0,eth1 -p /etc/ntop/protocol.list -O > > /var/log/ntop > > sounds like it's just running as a standard daemon > > > > > I ran grep -nr "ntop" /etc/init.d and all references to ntop are from the > > ntop script, so I assume none of the other init.d scripts are calling ntop. > > > > Any other thoughts, or should I just disable ntop from init.d: > > > > update-rc.d -f ntop remove > > If you know you don't need it and know how to bring it back if it breaks > something, feel free :) > > > > > Mark > > > > P.S. Since I started ntop to check the output from ps, I let it run. And > > sure enough, after a few minutes, the fan started blowing hard and CPU usage > > went over 90% for ntop. Now I am really confused....I guess the real > > question is why do I need ntop to start my laptop? > > > > Running a firewall perhaps with some autoblocking doohicky? I have no > idea... > > Ryan > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss