12 Replies Latest reply: Aug 30, 2013 4:14 AM by Poker Mike
HandyMac Level 2 Level 2 (415 points)

I use Little Snitch to monitor outgoing connections. In the last week or so it's started warning me many times a day that something called "PubSubAgent" wants to connect to various addresses that I've never heard of. I tried a Web search for "PubSubAgent" and learned that apparently it has to do with managing RSS feeds and syncing same via .Mac. In 10.5, anyway; I haven't found anything about its function in 10.6. Anyway, in my 24 years using Macs I've never had anything to do with any RSS feeds or with .Mac in any of its incarnations, so I don't know what this is about, but it's driving me nuts.

 

Mostly it wants to connect to a website named macmouse.com, which turns out to be some kind of Mac dealer/club in Hawaii. If I put the cursor over that address in the LS alert, it'll sometimes show a whole list of URLs "with the same IP address". I've seen up to six addresses in that list, all of them looking like they're connected to the Hawaii place. Then sometimes it'll show macmouse.com only, with no alternatives. Then it showed an alternative as 2153788.sites.myregisteredsite.com, which seems to be a vendor of Web addresses; after I went to look a that site, then PubSubAgent started wanting to connect to it instead of macmouse.com. Then it brought up a completely new one, www.kabsoft.com, which is vendor of "Judaic software". And now, after looking at that site, PubSubAgent wants to go there. I've never had anything to do with these places.

 

Here it goes again, wanting to connect to www.kabsoft.com, listing macmouse.com and 2153788.sites.myregisteredsite.com as alternatives with the same IP address. I could just tell LS to Deny Forever, but I'd like to know what's going on. Besides, PubSubAgent will probably just come up with another URL it wants to connect to. (It also occasionally wants to go to some Google address.) I've shut down Safari and everything else and Restarted my Mac, but after a while PubSubAgent just starts up again. There is a set of about a dozen Web pages I keep open all the time, but I had the same set open two weeks ago and I'd never heard of PubSubAgent then, so it seems unlikely this behavior has to do with any of them. I tried throwing out ~/Library/Preferences/com.apple.PubSubAgent.plist and ~/Library/Caches/com.apple.PubSubAgent/Cache.db, but they just got recreated.

 

Being a Mac user, I have no real experience with malware, but this behavior looks awfully suspicious—though the sites PubSubAgent wants to connect to do seem to be legit. Can anyone tell me (a) just what PubSubAgent is up to, and (b) what I can or should do about it?

 

Thanks.


MacBook Pro, Mac OS X (10.6.8), 2.4GHz (2010), 4GB RAM, 320GB HD
  • 1. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    I don't use any RSS feeds, the updating of which is one of the main tasks of PubSubAgent, so I just have this rule completely disabled in Little Snitch.

     

    Screen shot 2012-11-13 at 11.25.24 PM.png

     

    So this is interesting. I just opened Safari, which I never use, and despite the fact that I have RSS feeds disabled in Preferences there, PubSubAgent wanted to connect to some Google thing.

     

    I never see this from Firefox, which is my usual browser.

     

    Screen shot 2012-11-13 at 11.31.22 PM.png

     

    Since I never use Safari, I don't really care about this behavior. But you might want to select some completely useless, for RSS that is, application as the default RSS reader.

     

    Message was edited by: WZZZ

  • 2. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    I suppose one possibiity, if a bit drastic, would be to disable PubSubAgent.app by first zipping it (compressing) it, then trashing the app, which is located here. That way, the app itself can be restored if it's ever needed in the future by unzipping it. But left zipped it will be dead in the water and shouldn't ever bother you again.

     

    /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app

     

    OK, I just tried that and it put the zipped copy on the Desktop with my user as the owner. So that wouldn't be right. What you could do is trash the app, keep a zipped copy and if you ever need it back you could return it to its proper location, unzip it, and then run Permissions repair, which should restore the correct Permissions.

     

    Other than that, there is probably some way to zip it, while keeping the proper Permissions and leaving it in place, from the command line. But I don't know how.

     

    Message was edited by: WZZZ

  • 3. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    Of course, your own suggestion to just have Little Snitch deny connections from PSA would be fine.

     

    EDIT: well, that didn't work. I had to set up a separate rule to permanently deny connections to the damned Google news thing.

  • 4. Re: "PubSubAgent" is driving me nuts.
    HandyMac Level 2 Level 2 (415 points)

    Thanks, WZZZ, for your efforts, though PubSubAgent seems to have you as mystified as it has me. I checked out the "More Like This" list to the right; all were about 10.5, and none seems to offer a real explanation or solution.

     

    One has a post that "solved my problem" with a link to another Discussion, but the link leads to a page that says "Unauthorized: It appears you're not allowed to view what you requested." Apparently that discussion has been scrubbed?

     

    Another has a link to an Apple Support article which apparently no longer exists; the link just leads to the Apple Support home page without explanation. A search of Apple Support for PubSubAgent finds nothing.

     

    Another has a link to a Macworld article which explains that "according to Apple, 'The PubSub agent syncs the RSS read/unread status of bookmarked RSS feeds between computers using Mac OS X 10.5 that are syncing bookmarks via .Mac Sync.'” But says nothing about why PubSubAgent would be trying to connect to mysterious websites I've never been to, and when I've never used RSS or .Mac Sync.

     

    Iow, no one seems to know about this. Doesn't seem to be doing it so often now, though it's back to macmouse.com. I also see from LS's rules that PSA connects to "safebrowsing-cache.google.com", or at least it tried once and I allowed it, thinking that's necessary info. But is PSA really what collects that info? Apple doesn't seem to want us to know anything about it.

     

    I guess I'll just try turning it off and see what happens. Maybe try some other forums.

  • 5. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    I really have no idea why or what PSA wants to connect to. My original rule wasn't firm enough, but this one seems to nuke it. I threw in Deny globally for all users, but I'm sure it's not necessary--unless you have other users.

     

    Screen shot 2012-11-16 at 4.13.04 PM.png

     

    This was the original one, which I never bothered with before, because, as I said, I don't use Safari. I didn't actually deny anything, just unchecked it, while keeping Allow, which was useless.

     

     

    Screen shot 2012-11-16 at 4.16.58 PM.png

     

    Message was edited by: WZZZ

  • 6. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    More confusion: Then again, maybe you don't want to nuke PSA, if that's the way it gets the Google Safe Browsing update?

  • 7. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    This sounds both too idiotically simple and too good to be true, but try trashing in your User/Library/PubSub/Feeds. Just select all the Feeds and trash them, not the enclosing Folder. I'm prepared to hear otherwise, but who knows, this might be it.

  • 8. Re: "PubSubAgent" is driving me nuts.
    etresoft Level 7 Level 7 (24,265 points)

    Perhaps you updated Little Snitch and since RSS feeds were removed from Mountain Lion, it is now alerting you, even though you are on 10.6. Run Terminal.app and use the "pubsub" command to delete these subscriptions.

  • 9. Re: "PubSubAgent" is driving me nuts.
    HandyMac Level 2 Level 2 (415 points)

    WZZZ, thanks for the further note. I didn't know about that ~/Library/PubSub folder. I went to it and found a Clients.plist file, which I opened in Property List Editor and found some of the mystery sites PSA wants to connect to, and deleted them. Also deleted the Database and the Feeds, as suggested. We'll see what happens.

     

    etresoft, thanks for your input; I'm afraid I don't know enough about Terminal to do what you suggest, but perhaps what I've done on the .plist file will take care of it.

  • 10. Re: "PubSubAgent" is driving me nuts.
    WZZZ Level 6 Level 6 (12,215 points)

    What you've done may be sufficient, but the Terminal utility pubsub is really dead simple to use.

     

    First, enter pubsub list  This will give you a list of all your subscriptions. Find the offending URL there, copy it, hit return to close that window. (Or just use Shell>New Window) Open Terminal again and enter

     

    pubsub unsubscribe >name of the offending URL as it is written in pubsub list<

     

    and hit return.

     

    I must warn you, though, that I tried this for news.google.com, which Little Snitch keeps telling me PSA wants to connect to, and it was useless. I've unsubscribed and PSA still insists on connecting.

     

    But, who knows, give it a try. It may work for you. Let me know if what you've done is working for you now.

     

    Scroll in Terminal using the up/down arrows. The mouse is useless. Use the delete key to backspace.

     

    Message was edited by: WZZZ

  • 11. Re: "PubSubAgent" is driving me nuts.
    nicko2n Level 1 Level 1 (0 points)

    Noticed the same thing - LittleSnitch reporting connections from PubSubAgent.

    The URLs turned out to be entries in Safari's Top sites (the thumbnail in the browser's home page), and the connections were Safari trying to update them. Edited the list of top sites in the browser these entries from the pubsub subscriptions.

  • 12. Re: "PubSubAgent" is driving me nuts.
    Poker Mike Level 1 Level 1 (0 points)

    You can use the following to unsubsribe from all of them:

     

    pubsub list | grep 'http://' | cut -f3 | xargs -L 1 pubsub unsubscribe