cupsd connection to 000dom.revenuedirect.com ??? [SOLVED]

Message

musher0 · #1 Post by **musher0** » Wed 18 Jul 2018, 12:51

Hi.

I just noticed this morning, typing

lsof -i

as I do once and a while, that my cups demon was connected to
000dom.revenuedirect.com??? Result:

Code: Select all

COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
cupsd      8383 root    8u  IPv4   8578      0t0  TCP 000dom.revenuedirect.com:631 (LISTEN)
(...)

Is that a legit site? I don't like it... A name like that has to be fishy.
Usually, cupsd does not connect to that site.

When I tried to go to the revenuedirect site with SeaMonkey, I got an error
message. (The connection is refused?)

A search through ask.com on "revenue direct" comes up with this
among other material. Although I find what they do unpleasant, the
Direct_Revenue company from NYC seems to be a legitimate concern.

The main question I have is: Can the cups connection on your Pup be used
for malware, spying, and the like?

Any info on this subject will be appreciated. TIA.

rcrsn51 · #2 Post by **rcrsn51** » Wed 18 Jul 2018, 15:01

CUPS is a server. Its default configuration is to only listen on its own computer (localhost) for apps that are requesting print services.

But if you have enabled printer sharing, it will also listen on the LAN for requests.

But supposedly your LAN is behind a router, and you are NOT allowing clients from the WAN.

You need to check the settings on the CUPS admin page and your /etc/cups/cupsd.conf

Is there a host somewhere on your network named 000dom.revenuedirect.com?

perdido · #3 Post by **perdido** » Wed 18 Jul 2018, 16:10

Its an adserver run by sedo

I see it mentioned a lot on suggested hosts file entries.

.

musher0 · #4 Post by **musher0** » Wed 18 Jul 2018, 22:28

Thanks rcrsn51 and perdido.

I do not have a printer connected to this xenialPup-7.0.6 and never even
tried to configure one on it.

I do not usually need a printer. For my very minimal printing needs, I print a
document to PDF, copy the PDF file to a thumb-drive, go to the public library
and pay 25¢ a page to get the print out from their printer.

BFN.

dancytron · #5 Post by **dancytron** » Wed 18 Jul 2018, 22:51

FWIW, my ublock origin blocks it

uBlock Origin has prevented the following page from loading:

http://000dom.revenuedirect.com/

Because of the following filter

||revenuedirect.com^
Found in: Malvertising filter list by Disconnect • Peter Lowe’s Ad and tracking server list

Galbi · #6 Post by **Galbi** » Wed 18 Jul 2018, 23:43

@musher0: do you have a hosts file like this? http://winhelp2002.mvps.org/hosts.htm
there are others, but I use that in all my machines, real - virtual - linux - windows.

This brings me a question: using such hosts file, blocks connections for all kind of software or just for the browser?

I guess is the 1st choice, but not sure...

Thanks.

rcrsn51 · #7 Post by **rcrsn51** » Thu 19 Jul 2018, 00:08

musher0 wrote:I do not have a printer connected to this xenialPup-7.0.6 and never even tried to configure one on it.

Then you should disable the cupsd service at bootup.

musher0 · #8 Post by **musher0** » Thu 19 Jul 2018, 02:26

Good idea! Many thanks, rcrsn51!

Problem solved.

musher0 · #9 Post by **musher0** » Thu 19 Jul 2018, 02:35

Galbi wrote:@musher0: do you have a hosts file like this? http://winhelp2002.mvps.org/hosts.htm
there are others, but I use that in all my machines, real - virtual - linux - windows.

This brings me a question: using such hosts file, blocks connections for all kind of software or just for the browser?

I guess is the 1st choice, but not sure...

Thanks.

Hi galbi.

Thanks for your reply.

Yes, I am using a < hosts > file populated by the < pup-advert-blocker >
utility.

Concerning your second question, I do not know if a cupsd connection
to a malware site (theoretically) can infect one's Internet connection.
The two appears to be in separate "channels", though.

That is what had me worried, initially. But reasoning rcrsn51's
suggestion, if the cups demon is not connected, it cannot transmit any
infection, can it?

BFN.

rcrsn51 · #10 Post by **rcrsn51** » Thu 19 Jul 2018, 10:58

When you originally ran the lsof command, did you have a browser open? Or had one been previously open?

I suspect that cupsd saw the 000dom.revenuedirect.com process running somewhere on localhost (or maybe associated with a tcp port) and decided to listen to it for print requests.

Since 000dom.revenuedirect.com isn't interested in printing, I doubt if anything malicious could happen.

But it's certainly interesting that CUPS would do that.

musher0 · #11 Post by **musher0** » Thu 19 Jul 2018, 16:42

Hello rcrsn51.

I have now un-ticked the setting for cupsd and rebooted, so I'm afraid
we'll never know.

That said, what you suggest is not impossible. I do routinely leave a
browser running in the background, and I enable anti-adware on all of
them.

But I think not. < lsof -i > picks up and shows any connection to my
ISP with a running browser. And there is none shown in the description
in my OP.

Again, thanks. BFN.

(old)Puppy Linux Discussion Forum

(old)Puppy Linux Discussion Forum

cupsd connection to 000dom.revenuedirect.com ??? [SOLVED]

cupsd connection to 000dom.revenuedirect.com ??? [SOLVED]