-
All replies
-
Helpful answers
-
Mar 31, 2012 6:21 PM in response to chadonlineby Gregg Luhring,★HelpfulI have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.
I'll do a text level search of the whole drive and report back if I find something.
GL
-
Mar 31, 2012 7:33 PM in response to chadonlineby sthej,I got this message as well when visiting a website. ".rserv wants to connect to gangstaparadise.rr.nu" and of course denied it.
Is .rserv a process in os x? Did it get downloaded and installed surreptitiously?
-
Mar 31, 2012 7:57 PM in response to chadonlineby trungson,Same here, got it today as well, very suspicious, look like not just me
LittleSnitch blocked it and the process is here:
/Users/Your-User-Name/.rserv
-rwxrwxrwx@ 1 trungson staff 59848 Mar 31 16:38 .rserv
-
Mar 31, 2012 8:03 PM in response to chadonlineby X423424X,Who is posting that message? Little Snitch? Hands Off?
If .rserv is a process, then in terminal type (copy/paste) the following:
ps ax | grep -i rserv
If you get any output other than a line with grep on it then you will see the pathname to the process. Then you should know where it is coming from.
-
-
Mar 31, 2012 8:21 PM in response to sthejby X423424X,So it also tells you the pathname to the process requesting the connection. Mouse over the "wants to connect" message and a "Show Details" button will appear. Click it and you will see the pathname ("Established by"). What is that pathname? Note you can select that pathname in the LS window and copy/paste it to your post.
If it were me I would block it, see if anything critical fails (I doubt it), and if you really decide you need it, unblock it later.
-
Mar 31, 2012 8:25 PM in response to X423424Xby sthej,I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?
-
Mar 31, 2012 8:32 PM in response to X423424Xby trungson,I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm
-
Mar 31, 2012 8:38 PM in response to trungsonby bgw1,I had the same experience tonight. Lil Snitch blocked it. The guilty application is Splashtop Streamer. I am going to delete it.
ps ax | grep -i rserv
53 ?? Ss 0:00.05 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon
196 ?? S 0:00.06 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent
468 s000 S+ 0:00.00 grep -i rserv
-
Mar 31, 2012 8:40 PM in response to sthejby X423424X,sthej wrote:
I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?
I don't know why you reinstalled at all if you blocked it. If you had looked at the pathname like I described you could have just removed the offending software if it isn't system software.
I also assume that if you blocked it before you reverted your system from the backup it is no longer blocked so you will still get a chance to check the pathname should it occur in the future. And if you somehow blocked it after reverting the system then open LS and uncheck the checkbox next to the blocking rule so that you get the LS dialog again when a call attempt is made. Then you can again still get a chance for getting the pathname.
-
Mar 31, 2012 8:47 PM in response to trungsonby X423424X,trungson wrote:
I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm
It? You never said what "it" was so I cannot comment one way or another what "it" is.
Is "it" Splashtop Streamer" that bgw1 reported?
-
Mar 31, 2012 8:53 PM in response to X423424Xby trungson,It is the binary file ".rserv". I do not install any application lately or have "Splashtop Streamer" on my Mac
/Users/trungson/.rserv
-rwxrwxrwx@ 1 trungson staff 59848 Mar 31 16:38 .rserv
-
Mar 31, 2012 9:03 PM in response to trungsonby X423424X,/Users/trungson/.rserv
Well it's in your home directory so you could safely remove it.
But post you Accounts login items and also the filenames (if any) in the folder ~/Library/LaunchAgents (also in your home directory).
-
Mar 31, 2012 9:16 PM in response to X423424Xby bgw1,Little Snitch details:
".rserv"
wants to connect to cuojshtbohnt.com on TCP port 80 (http)
IP Address 72.215.225.9
Reverse DNS Name ip72-215-225-9.at.at.cox.net
Established by /Users/EirUser/.rserv
User EirUser (UID: 502)
Process ID 514
I looked at Process 514 in Activity Monitor. It was running out of dyld cache. Unfortunately it terminated while I was checking something else before I could copy the text.
Whois says the IP address is related to one of these:
NS3.THEMADDENSHOME.COM
NS2.XVIDSPOT.COM
NS1.XVIDSPOT.COM
PRODIIS.INTERNETRTI.COM