cupsd connection to 000dom.revenuedirect.com ??? [SOLVED]

Please post any bugs you have found
Post Reply
Message
Author
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

cupsd connection to 000dom.revenuedirect.com ??? [SOLVED]

#1 Post by musher0 »

Hi.

I just noticed this morning, typing

Code: Select all

lsof -i 
as I do once and a while, that my cups demon was connected to
000dom.revenuedirect.com??? Result:

Code: Select all

COMMAND     PID USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
cupsd      8383 root    8u  IPv4   8578      0t0  TCP 000dom.revenuedirect.com:631 (LISTEN)
(...)
Is that a legit site? I don't like it... A name like that has to be fishy.
Usually, cupsd does not connect to that site.

When I tried to go to the revenuedirect site with SeaMonkey, I got an error
message. (The connection is refused?)

A search through ask.com on "revenue direct" comes up with this
among other material. Although I find what they do unpleasant, the
Direct_Revenue company from NYC seems to be a legitimate concern.

The main question I have is: Can the cups connection on your Pup be used
for malware, spying, and the like?

Any info on this subject will be appreciated. TIA.
Last edited by musher0 on Thu 19 Jul 2018, 02:27, edited 1 time in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#2 Post by rcrsn51 »

CUPS is a server. Its default configuration is to only listen on its own computer (localhost) for apps that are requesting print services.

But if you have enabled printer sharing, it will also listen on the LAN for requests.

But supposedly your LAN is behind a router, and you are NOT allowing clients from the WAN.

You need to check the settings on the CUPS admin page and your /etc/cups/cupsd.conf

Is there a host somewhere on your network named 000dom.revenuedirect.com?
User avatar
perdido
Posts: 1528
Joined: Mon 09 Dec 2013, 16:29
Location: ¿Altair IV , Just north of Eeyore Junction.?

#3 Post by perdido »

Its an adserver run by sedo

I see it mentioned a lot on suggested hosts file entries.

.
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#4 Post by musher0 »

Thanks rcrsn51 and perdido.

I do not have a printer connected to this xenialPup-7.0.6 and never even
tried to configure one on it.

I do not usually need a printer. For my very minimal printing needs, I print a
document to PDF, copy the PDF file to a thumb-drive, go to the public library
and pay 25¢ a page to get the print out from their printer.

BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
dancytron
Posts: 1519
Joined: Wed 18 Jul 2012, 19:20

#5 Post by dancytron »

FWIW, my ublock origin blocks it

uBlock Origin has prevented the following page from loading:

http://000dom.revenuedirect.com/

Because of the following filter

||revenuedirect.com^
Found in: Malvertising filter list by Disconnect • Peter Lowe’s Ad and tracking server list
User avatar
Galbi
Posts: 1098
Joined: Wed 21 Sep 2011, 22:32
Location: Bs.As. - Argentina.

#6 Post by Galbi »

@musher0: do you have a hosts file like this? http://winhelp2002.mvps.org/hosts.htm
there are others, but I use that in all my machines, real - virtual - linux - windows.

This brings me a question: using such hosts file, blocks connections for all kind of software or just for the browser?

I guess is the 1st choice, but not sure...

Thanks.
Remember: [b][i]"pecunia pecuniam parere non potest"[/i][/b]
User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#7 Post by rcrsn51 »

musher0 wrote:I do not have a printer connected to this xenialPup-7.0.6 and never even tried to configure one on it.
Then you should disable the cupsd service at bootup.
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#8 Post by musher0 »

Good idea! Many thanks, rcrsn51! :) Problem solved.
Attachments
No_cupsd!.jpg
(60.53 KiB) Downloaded 237 times
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#9 Post by musher0 »

Galbi wrote:@musher0: do you have a hosts file like this? http://winhelp2002.mvps.org/hosts.htm
there are others, but I use that in all my machines, real - virtual - linux - windows.

This brings me a question: using such hosts file, blocks connections for all kind of software or just for the browser?

I guess is the 1st choice, but not sure...

Thanks.
Hi galbi.

Thanks for your reply.

Yes, I am using a < hosts > file populated by the < pup-advert-blocker >
utility.

Concerning your second question, I do not know if a cupsd connection
to a malware site (theoretically) can infect one's Internet connection.
The two appears to be in separate "channels", though.

That is what had me worried, initially. But reasoning rcrsn51's
suggestion, if the cups demon is not connected, it cannot transmit any
infection, can it? :)

BFN.
Last edited by musher0 on Thu 19 Jul 2018, 16:32, edited 1 time in total.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
User avatar
rcrsn51
Posts: 13096
Joined: Tue 05 Sep 2006, 13:50
Location: Stratford, Ontario

#10 Post by rcrsn51 »

When you originally ran the lsof command, did you have a browser open? Or had one been previously open?

I suspect that cupsd saw the 000dom.revenuedirect.com process running somewhere on localhost (or maybe associated with a tcp port) and decided to listen to it for print requests.

Since 000dom.revenuedirect.com isn't interested in printing, I doubt if anything malicious could happen.

But it's certainly interesting that CUPS would do that.
musher0
Posts: 14629
Joined: Mon 05 Jan 2009, 00:54
Location: Gatineau (Qc), Canada

#11 Post by musher0 »

Hello rcrsn51.

I have now un-ticked the setting for cupsd and rebooted, so I'm afraid
we'll never know.

That said, what you suggest is not impossible. I do routinely leave a
browser running in the background, and I enable anti-adware on all of
them.

But I think not. < lsof -i > picks up and shows any connection to my
ISP with a running browser. And there is none shown in the description
in my OP.

Again, thanks. BFN.
musher0
~~~~~~~~~~
"You want it darker? We kill the flame." (L. Cohen)
Post Reply