1 2 3 4 Previous Next 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 Go to original post
  • 15. Re: .rserv wants to connect to cuojshtbohnt.com
    fane_j Level 4 Level 4 (3,660 points)

    bgw1 wrote:

     

    I am going to delete it.

    Guys. You may be on to something here. Don't rush to delete stuff before we know what it is.

    The guilty application is Splashtop Streamer.

    No, it's not. The two processes listed as belonging to Splashtop Streamer would show up as "SRServiceDaemon" and "SRServiceAgent", not as ".rserv". They are caught because grep was case-insensitively searching for "rserv", and their names do contain the string "RServ". If it doesn't show up, it means it wasn't active when you ran ps.

     

    This is definitely worth digging into. I find the process name ".rserv" extremely suspicious because it begins with a dot. The two sites mentioned as trying to link to are also extremely suspicious. You need to get its full information, including path, from Little Snitch. Also, use Find File or Find Any File and search your whole hard drive for any file containing the string "rserv". A file name like ".rserv" would hide it from the casual user, which makes it even more suspicious, but both FF and FAF should find it.

  • 16. Re: .rserv wants to connect to cuojshtbohnt.com
    sthej Level 1 Level 1 (0 points)

    Overabundance of caution I guess... Any ideas on what is going on here?

  • 17. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    bgw1 wrote:

     

    Little Snitch details:

     

    ".rserv"

    wants to connect to cuojshtbohnt.com on TCP port 80 (http)

     

              IP Address          72.215.225.9

              Reverse DNS Name          ip72-215-225-9.at.at.cox.net

              Established by          /Users/EirUser/.rserv

              User          EirUser (UID: 502)

      Process ID          514

     

    Same question to you.  Post your login items and ~/Library/LaunchAgents.

     

    By the way, about that Splashtop Streamer.  I downloaded it and did some analysis.  It installs much more than just the app.  It has uninstaller applescripts in the installer so I assume that if you run that Splashtop Streamer app it will give an option somewhere to uninstall itself.  Use that instead of just dragging the app to the trash.

  • 18. Re: .rserv wants to connect to cuojshtbohnt.com
    bgw1 Level 1 Level 1 (0 points)

    I stand corrected.  You are right.  I will wait for this puppy to try again and run ps (3 times tonight) while it is active.

  • 19. Re: .rserv wants to connect to cuojshtbohnt.com
    fane_j Level 4 Level 4 (3,660 points)

    bgw1 wrote:

     

              Established by          /Users/EirUser/.rserv

              User          EirUser (UID: 502)

      Process ID          514

     

    I looked at Process 514 in Activity Monitor.  It was running out of dyld cache. 

    If this isn't malware, I'll eat my hat!

     

    And it shouldn't surprise me if this was yet another strain of the Flashback Trojan Horse. The question is, what is executing it?

     

    X423424X is on the right track, asking you to look in <~/Library/LaunchAgents/> and in Login items. Do also

     

    defaults read ~/.MacOSX/environment

  • 20. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    fane_j wrote:

     

    This is definitely worth digging into. I find the process name ".rserv" extremely suspicious because it begins with a dot. The two sites mentioned as trying to link to are also extremely suspicious. You need to get its full information, including path, from Little Snitch. Also, use Find File or Find Any File and search your whole hard drive for any file containing the string "rserv". A file name like ".rserv" would hide it from the casual user, which makes it even more suspicious, but both FF and FAF should find it.

     

    Why do you think I'm sticking with this?

     

    And yes Splashtop Streamer has nothing to do with the .rserv process.  It's nowhere to be found in that code.

     

    And yes,  my post about how Splashtop Streamer should be uninstalled talked about using an uninstaller and not just trashing the app.  According to the uninstall applescript (fortunately it wasn't compiled applescript) that app sprays stuff into /System/Library/Extensions, /Library/LaunchAgents, /Library/LaunchDaemons, and a bunch of other places.

     

    Update (we're overlapping posts here):

     

    environment.plist was coming next but I just want to see what the login items and launchagents are first.

     

    If this is another trojan variant then this is either a new kind or no one has run with Little Snitch installed up till now.  But I had read that earlier variants aborted their code injection if they detected little snitch (among some other stuff).  It would be a pretty dumb trojan to install a process that calls home knowing full well Little Snitch would jump all over it.  But still it peaked my curiousity!

  • 21. Re: .rserv wants to connect to cuojshtbohnt.com
    trungson Level 1 Level 1 (0 points)

    macbook-2:~ trungson$ grep -r 'rserv' ~/Library/LaunchAgents/

     

    /Users/trungson/Library/LaunchAgents/com.adobe.reader.plist:

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/trungson/.rserv</string></array><key>RunA tLoad</key><true/><key>StartInterval</key><integer>4212</integer><key>StandardEr rorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/nu ll</string></dict></plist>

     

    Is it really Adobe Reader (I do have Adobe Reader 10.1.2) but I don't think Adobe would connect to those suspicious domains. Or maybe a malware posing as Adobe, or a corrupted PDF file caused this? I still have the binary renamed and moved so I can send to a virus researcher if needed, or someone from Adobe

  • 22. Re: .rserv wants to connect to cuojshtbohnt.com
    bgw1 Level 1 Level 1 (0 points)

    In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop. 

     

    com.splashtop.streamer.SRServiceAgent.plist

     

    <?xml version="1.0" encoding="UTF-8"?>

    <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

    <plist version="1.0">

    <dict>

              <key>Label</key>

              <string>com.splashtop.streamer.SRServiceAgent</string>

              <key>Program</key>

              <string>/Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent</string>

              <key>KeepAlive</key>

              <true/>

    </dict>

    </plist>

  • 23. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    trungson wrote:


    Is it really Adobe Reader (I do have Adobe Reader 10.1.2) but I don't think Adobe would connect to those suspicious domains. Or maybe a malware posing as Adobe, or a corrupted PDF file caused this? I still have the binary renamed and moved so I can send to a virus researcher if needed, or someone from Adobe

     

    Not sure why Adobe Reader would instal a launch agent.  I certainly don't have it.  So trash it.

     

    Alright, humor me here, just for the sake of completeness, please copy/pase this terminal command:

     

    defaults read ~/.MacOSX/environment

     

    Post the results if you get anything other than a "does not exist" error message.

     

    Update:

    Did you download Adobe Reader installer from any place other than the adobe site

  • 24. Re: .rserv wants to connect to cuojshtbohnt.com
    sthej Level 1 Level 1 (0 points)

    Since LS didn't allow it to connect, do you think that we have anything to worry about?

  • 25. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    If you never let it ever connect you're ok. 

     

    We had overlapping posts again so I'll repeat:

     

    Did you download Adobe Reader installer from any place other than the adobe site

     

    Also do that defaults command.

  • 26. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    bgw1 wrote:

     

    In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop. 

     

    com.splashtop.streamer.SRServiceAgent.plist

     

    Yours is an entirely separate problem and not related to the subject of this thread, i.e., .rserv.  I said that the SplashtopStreamer installer installs a whole lot of stuff other than the app and you should try to use, what I assume it has, its uninstall function which is probably part of that SplashtopStreamer application.

  • 27. Re: .rserv wants to connect to cuojshtbohnt.com
    bgw1 Level 1 Level 1 (0 points)

    Found .rsrv with FAF.  59.9K in size.

     

    "PluginProcess.app downloaded the file on March 30, 2012."

     

    I can make it run.  Little Snitch Details:

     

    Terminal via .rserv

    wants to connect to cuojshtbohnt.com on TCP port 80 (http)

     

              IP Address          72.215.225.9

              Reverse DNS Name          ip72-215-225-9.at.at.cox.net

              Established by          /Users/EirUser/.rserv

      Process ID          1296

              User          EirUser (UID: 502)

              Parent Application          /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal

      Process ID          460

     

    The process 1296 Open Files and Ports:

     

    /Users/EirUser

    /Users/EirUser/.rserv

    /usr/lib/dyld

    /private/var/db/dyld/dyld_shared_cache_x86_64

    /dev/ttys000

    /dev/ttys000

    /dev/ttys000

    ->0x086a36f0

    ->0x0802e5c8

    count=1, state=0x2

    *:*

  • 28. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    I'm having trouble handling two parallel threads simultaneously in one thread.

     

    If you only have the SplashtopStreamer in your ~/Library/LaunchAgents I don't know who is spawning yours nor why it is spawned differently from the OP.

     

    Look in your login items and,

     

    /Library/LaunchAgents

    /Library/LauncDaemons

    /Library/StartupItems

  • 29. Re: .rserv wants to connect to cuojshtbohnt.com
    X423424X Level 6 Level 6 (14,190 points)

    sthej did you do that defaults command?

     

    defaults read ~/.MacOSX/environment

1 2 3 4 Previous Next