Page 1 of 1
cupsd connection to 000dom.revenuedirect.com ??? [SOLVED]
Posted: Wed 18 Jul 2018, 12:51
by musher0
Hi.
I just noticed this morning, typing
as I do once and a while, that my cups demon was connected to
000dom.revenuedirect.com??? Result:
Code: Select all
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
cupsd 8383 root 8u IPv4 8578 0t0 TCP 000dom.revenuedirect.com:631 (LISTEN)
(...)
Is that a legit site? I don't like it... A name like that has to be fishy.
Usually, cupsd does not connect to that site.
When I tried to go to the revenuedirect site with SeaMonkey, I got an error
message. (The connection is refused?)
A search through ask.com on "revenue direct" comes up with
this
among other material. Although I find what they do unpleasant, the
Direct_Revenue company from NYC seems to be a legitimate concern.
The main question I have is: Can the cups connection on your Pup be used
for malware, spying, and the like?
Any info on this subject will be appreciated. TIA.
Posted: Wed 18 Jul 2018, 15:01
by rcrsn51
CUPS is a server. Its default configuration is to only listen on its own computer (localhost) for apps that are requesting print services.
But if you have enabled printer sharing, it will also listen on the LAN for requests.
But supposedly your LAN is behind a router, and you are NOT allowing clients from the WAN.
You need to check the settings on the CUPS admin page and your /etc/cups/cupsd.conf
Is there a host somewhere on your network named 000dom.revenuedirect.com?
Posted: Wed 18 Jul 2018, 16:10
by perdido
Its an adserver run by sedo
I see it mentioned a lot on suggested hosts file entries.
.
Posted: Wed 18 Jul 2018, 22:28
by musher0
Thanks rcrsn51 and perdido.
I do not have a printer connected to this xenialPup-7.0.6 and never even
tried to configure one on it.
I do not usually need a printer. For my very minimal printing needs, I print a
document to PDF, copy the PDF file to a thumb-drive, go to the public library
and pay 25¢ a page to get the print out from their printer.
BFN.
Posted: Wed 18 Jul 2018, 22:51
by dancytron
FWIW, my ublock origin blocks it
uBlock Origin has prevented the following page from loading:
http://000dom.revenuedirect.com/
Because of the following filter
||revenuedirect.com^
Found in: Malvertising filter list by Disconnect • Peter Lowe’s Ad and tracking server list
Posted: Wed 18 Jul 2018, 23:43
by Galbi
@musher0: do you have a hosts file like this?
http://winhelp2002.mvps.org/hosts.htm
there are others, but I use that in all my machines, real - virtual - linux - windows.
This brings me a question: using such hosts file, blocks connections for all kind of software or just for the browser?
I guess is the 1st choice, but not sure...
Thanks.
Posted: Thu 19 Jul 2018, 00:08
by rcrsn51
musher0 wrote:I do not have a printer connected to this xenialPup-7.0.6 and never even tried to configure one on it.
Then you should disable the cupsd service at bootup.
Posted: Thu 19 Jul 2018, 02:26
by musher0
Good idea! Many thanks, rcrsn51!
Problem solved.
Posted: Thu 19 Jul 2018, 02:35
by musher0
Galbi wrote:@musher0: do you have a hosts file like this?
http://winhelp2002.mvps.org/hosts.htm
there are others, but I use that in all my machines, real - virtual - linux - windows.
This brings me a question: using such hosts file, blocks connections for all kind of software or just for the browser?
I guess is the 1st choice, but not sure...
Thanks.
Hi galbi.
Thanks for your reply.
Yes, I am using a < hosts > file populated by the < pup-advert-blocker >
utility.
Concerning your second question, I do not know if a cupsd connection
to a malware site (theoretically) can infect one's Internet connection.
The two appears to be in separate "channels", though.
That is what had me worried, initially. But reasoning rcrsn51's
suggestion, if the cups demon is not connected, it cannot transmit any
infection, can it?
BFN.
Posted: Thu 19 Jul 2018, 10:58
by rcrsn51
When you originally ran the lsof command, did you have a browser open? Or had one been previously open?
I suspect that cupsd saw the 000dom.revenuedirect.com process running somewhere on localhost (or maybe associated with a tcp port) and decided to listen to it for print requests.
Since 000dom.revenuedirect.com isn't interested in printing, I doubt if anything malicious could happen.
But it's certainly interesting that CUPS would do that.
Posted: Thu 19 Jul 2018, 16:42
by musher0
Hello rcrsn51.
I have now un-ticked the setting for cupsd and rebooted, so I'm afraid
we'll never know.
That said, what you suggest is not impossible. I do routinely leave a
browser running in the background, and I enable anti-adware on all of
them.
But I think not. < lsof -i > picks up and shows any connection to my
ISP with a running browser. And there is none shown in the description
in my OP.
Again, thanks. BFN.