I have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.
I'll do a text level search of the whole drive and report back if I find something.
So it also tells you the pathname to the process requesting the connection. Mouse over the "wants to connect" message and a "Show Details" button will appear. Click it and you will see the pathname ("Established by"). What is that pathname? Note you can select that pathname in the LS window and copy/paste it to your post.
If it were me I would block it, see if anything critical fails (I doubt it), and if you really decide you need it, unblock it later.
I had the same experience tonight. Lil Snitch blocked it. The guilty application is Splashtop Streamer. I am going to delete it.
ps ax | grep -i rserv
53 ?? Ss 0:00.05 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon
196 ?? S 0:00.06 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent
468 s000 S+ 0:00.00 grep -i rserv
I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?
I don't know why you reinstalled at all if you blocked it. If you had looked at the pathname like I described you could have just removed the offending software if it isn't system software.
I also assume that if you blocked it before you reverted your system from the backup it is no longer blocked so you will still get a chance to check the pathname should it occur in the future. And if you somehow blocked it after reverting the system then open LS and uncheck the checkbox next to the blocking rule so that you get the LS dialog again when a call attempt is made. Then you can again still get a chance for getting the pathname.
I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm
It? You never said what "it" was so I cannot comment one way or another what "it" is.
Is "it" Splashtop Streamer" that bgw1 reported?
Little Snitch details:
wants to connect to cuojshtbohnt.com on TCP port 80 (http)
IP Address 220.127.116.11
Reverse DNS Name ip72-215-225-9.at.at.cox.net
Established by /Users/EirUser/.rserv
User EirUser (UID: 502)
Process ID 514
I looked at Process 514 in Activity Monitor. It was running out of dyld cache. Unfortunately it terminated while I was checking something else before I could copy the text.
Whois says the IP address is related to one of these: