Skip navigation

"PubSubAgent" is driving me nuts.

8096 Views 12 Replies Latest reply: Aug 30, 2013 4:14 AM by Poker Mike RSS
HandyMac Level 2 Level 2 (415 points)
Currently Being Moderated
Nov 13, 2012 6:11 PM

I use Little Snitch to monitor outgoing connections. In the last week or so it's started warning me many times a day that something called "PubSubAgent" wants to connect to various addresses that I've never heard of. I tried a Web search for "PubSubAgent" and learned that apparently it has to do with managing RSS feeds and syncing same via .Mac. In 10.5, anyway; I haven't found anything about its function in 10.6. Anyway, in my 24 years using Macs I've never had anything to do with any RSS feeds or with .Mac in any of its incarnations, so I don't know what this is about, but it's driving me nuts.

 

Mostly it wants to connect to a website named macmouse.com, which turns out to be some kind of Mac dealer/club in Hawaii. If I put the cursor over that address in the LS alert, it'll sometimes show a whole list of URLs "with the same IP address". I've seen up to six addresses in that list, all of them looking like they're connected to the Hawaii place. Then sometimes it'll show macmouse.com only, with no alternatives. Then it showed an alternative as 2153788.sites.myregisteredsite.com, which seems to be a vendor of Web addresses; after I went to look a that site, then PubSubAgent started wanting to connect to it instead of macmouse.com. Then it brought up a completely new one, www.kabsoft.com, which is vendor of "Judaic software". And now, after looking at that site, PubSubAgent wants to go there. I've never had anything to do with these places.

 

Here it goes again, wanting to connect to www.kabsoft.com, listing macmouse.com and 2153788.sites.myregisteredsite.com as alternatives with the same IP address. I could just tell LS to Deny Forever, but I'd like to know what's going on. Besides, PubSubAgent will probably just come up with another URL it wants to connect to. (It also occasionally wants to go to some Google address.) I've shut down Safari and everything else and Restarted my Mac, but after a while PubSubAgent just starts up again. There is a set of about a dozen Web pages I keep open all the time, but I had the same set open two weeks ago and I'd never heard of PubSubAgent then, so it seems unlikely this behavior has to do with any of them. I tried throwing out ~/Library/Preferences/com.apple.PubSubAgent.plist and ~/Library/Caches/com.apple.PubSubAgent/Cache.db, but they just got recreated.

 

Being a Mac user, I have no real experience with malware, but this behavior looks awfully suspicious—though the sites PubSubAgent wants to connect to do seem to be legit. Can anyone tell me (a) just what PubSubAgent is up to, and (b) what I can or should do about it?

 

Thanks.

MacBook Pro, Mac OS X (10.6.8), 2.4GHz (2010), 4GB RAM, 320GB HD
  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 13, 2012 8:36 PM (in response to HandyMac)

    I don't use any RSS feeds, the updating of which is one of the main tasks of PubSubAgent, so I just have this rule completely disabled in Little Snitch.

     

    Screen shot 2012-11-13 at 11.25.24 PM.png

     

    So this is interesting. I just opened Safari, which I never use, and despite the fact that I have RSS feeds disabled in Preferences there, PubSubAgent wanted to connect to some Google thing.

     

    I never see this from Firefox, which is my usual browser.

     

    Screen shot 2012-11-13 at 11.31.22 PM.png

     

    Since I never use Safari, I don't really care about this behavior. But you might want to select some completely useless, for RSS that is, application as the default RSS reader.

     

    Message was edited by: WZZZ

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 13, 2012 8:54 PM (in response to WZZZ)

    I suppose one possibiity, if a bit drastic, would be to disable PubSubAgent.app by first zipping it (compressing) it, then trashing the app, which is located here. That way, the app itself can be restored if it's ever needed in the future by unzipping it. But left zipped it will be dead in the water and shouldn't ever bother you again.

     

    /System/Library/Frameworks/PubSub.framework/Versions/A/Resources/PubSubAgent.app

     

    OK, I just tried that and it put the zipped copy on the Desktop with my user as the owner. So that wouldn't be right. What you could do is trash the app, keep a zipped copy and if you ever need it back you could return it to its proper location, unzip it, and then run Permissions repair, which should restore the correct Permissions.

     

    Other than that, there is probably some way to zip it, while keeping the proper Permissions and leaving it in place, from the command line. But I don't know how.

     

    Message was edited by: WZZZ

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 13, 2012 9:10 PM (in response to WZZZ)

    Of course, your own suggestion to just have Little Snitch deny connections from PSA would be fine.

     

    EDIT: well, that didn't work. I had to set up a separate rule to permanently deny connections to the damned Google news thing.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 16, 2012 1:21 PM (in response to HandyMac)

    I really have no idea why or what PSA wants to connect to. My original rule wasn't firm enough, but this one seems to nuke it. I threw in Deny globally for all users, but I'm sure it's not necessary--unless you have other users.

     

    Screen shot 2012-11-16 at 4.13.04 PM.png

     

    This was the original one, which I never bothered with before, because, as I said, I don't use Safari. I didn't actually deny anything, just unchecked it, while keeping Allow, which was useless.

     

     

    Screen shot 2012-11-16 at 4.16.58 PM.png

     

    Message was edited by: WZZZ

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 17, 2012 7:01 AM (in response to WZZZ)

    More confusion: Then again, maybe you don't want to nuke PSA, if that's the way it gets the Google Safe Browsing update?

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 17, 2012 12:33 PM (in response to WZZZ)

    This sounds both too idiotically simple and too good to be true, but try trashing in your User/Library/PubSub/Feeds. Just select all the Feeds and trash them, not the enclosing Folder. I'm prepared to hear otherwise, but who knows, this might be it.

  • etresoft Level 7 Level 7 (23,905 points)
    Currently Being Moderated
    Nov 17, 2012 4:42 PM (in response to HandyMac)

    Perhaps you updated Little Snitch and since RSS feeds were removed from Mountain Lion, it is now alerting you, even though you are on 10.6. Run Terminal.app and use the "pubsub" command to delete these subscriptions.

  • WZZZ Level 6 Level 6 (11,880 points)
    Currently Being Moderated
    Nov 18, 2012 1:41 PM (in response to HandyMac)

    What you've done may be sufficient, but the Terminal utility pubsub is really dead simple to use.

     

    First, enter pubsub list  This will give you a list of all your subscriptions. Find the offending URL there, copy it, hit return to close that window. (Or just use Shell>New Window) Open Terminal again and enter

     

    pubsub unsubscribe >name of the offending URL as it is written in pubsub list<

     

    and hit return.

     

    I must warn you, though, that I tried this for news.google.com, which Little Snitch keeps telling me PSA wants to connect to, and it was useless. I've unsubscribed and PSA still insists on connecting.

     

    But, who knows, give it a try. It may work for you. Let me know if what you've done is working for you now.

     

    Scroll in Terminal using the up/down arrows. The mouse is useless. Use the delete key to backspace.

     

    Message was edited by: WZZZ

  • nicko2n Calculating status...
    Currently Being Moderated
    Apr 10, 2013 6:39 AM (in response to WZZZ)

    Noticed the same thing - LittleSnitch reporting connections from PubSubAgent.

    The URLs turned out to be entries in Safari's Top sites (the thumbnail in the browser's home page), and the connections were Safari trying to update them. Edited the list of top sites in the browser these entries from the pubsub subscriptions.

  • Poker Mike Calculating status...
    Currently Being Moderated
    Aug 30, 2013 4:14 AM (in response to WZZZ)

    You can use the following to unsubsribe from all of them:

     

    pubsub list | grep 'http://' | cut -f3 | xargs -L 1 pubsub unsubscribe

Actions

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.