.rserv wants to connect to cuojshtbohnt.com

I have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.

😮

I'll do a text level search of the whole drive and report back if I find something.

GL

I got this message as well when visiting a website. ".rserv wants to connect to gangstaparadise.rr.nu" and of course denied it.

Is .rserv a process in os x? Did it get downloaded and installed surreptitiously?

Same here, got it today as well, very suspicious, look like not just me

LittleSnitch blocked it and the process is here:

/Users/Your-User-Name/.rserv

-rwxrwxrwx@ 1 trungson staff 59848 Mar 31 16:38 .rserv

Who is posting that message? Little Snitch? Hands Off?

If .rserv is a process, then in terminal type (copy/paste) the following:

ps ax | grep -i rserv

If you get any output other than a line with grep on it then you will see the pathname to the process. Then you should know where it is coming from.

I'm using Little Snitch.

So it also tells you the pathname to the process requesting the connection. Mouse over the "wants to connect" message and a "Show Details" button will appear. Click it and you will see the pathname ("Established by"). What is that pathname? Note you can select that pathname in the LS window and copy/paste it to your post.

If it were me I would block it, see if anything critical fails (I doubt it), and if you really decide you need it, unblock it later.

I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?

I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm

I had the same experience tonight. Lil Snitch blocked it. The guilty application is Splashtop Streamer. I am going to delete it.

ps ax | grep -i rserv

53 ?? Ss 0:00.05 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon

196 ?? S 0:00.06 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent

468 s000 S+ 0:00.00 grep -i rserv

sthej wrote:

I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?

I don't know why you reinstalled at all if you blocked it. If you had looked at the pathname like I described you could have just removed the offending software if it isn't system software.

I also assume that if you blocked it before you reverted your system from the backup it is no longer blocked so you will still get a chance to check the pathname should it occur in the future. And if you somehow blocked it after reverting the system then open LS and uncheck the checkbox next to the blocking rule so that you get the LS dialog again when a call attempt is made. Then you can again still get a chance for getting the pathname.

trungson wrote:

I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm

It? You never said what "it" was so I cannot comment one way or another what "it" is.

Is "it" Splashtop Streamer" that bgw1 reported?

It is the binary file ".rserv". I do not install any application lately or have "Splashtop Streamer" on my Mac

/Users/trungson/.rserv

-rwxrwxrwx@ 1 trungson staff 59848 Mar 31 16:38 .rserv

/Users/trungson/.rserv

Well it's in your home directory so you could safely remove it.

But post you Accounts login items and also the filenames (if any) in the folder ~/Library/LaunchAgents (also in your home directory).

Little Snitch details:

".rserv"

wants to connect to cuojshtbohnt.com on TCP port 80 (http)

IP Address 72.215.225.9

Reverse DNS Name ip72-215-225-9.at.at.cox.net

Established by /Users/EirUser/.rserv

User EirUser (UID: 502)

Process ID 514

I looked at Process 514 in Activity Monitor. It was running out of dyld cache. Unfortunately it terminated while I was checking something else before I could copy the text.

Whois says the IP address is related to one of these:

NS3.THEMADDENSHOME.COM

NS2.XVIDSPOT.COM

NS1.XVIDSPOT.COM

PRODIIS.INTERNETRTI.COM

bgw1 wrote:

I am going to delete it.

Guys. You may be on to something here. Don't rush to delete stuff before we know what it is.

The guilty application is Splashtop Streamer.

No, it's not. The two processes listed as belonging to Splashtop Streamer would show up as "SRServiceDaemon" and "SRServiceAgent", not as ".rserv". They are caught because grep was case-insensitively searching for "rserv", and their names do contain the string "RServ". If it doesn't show up, it means it wasn't active when you ran ps.

This is definitely worth digging into. I find the process name ".rserv" extremely suspicious because it begins with a dot. The two sites mentioned as trying to link to are also extremely suspicious. You need to get its full information, including path, from Little Snitch. Also, use Find File or Find Any File and search your whole hard drive for any file containing the string "rserv". A file name like ".rserv" would hide it from the casual user, which makes it even more suspicious, but both FF and FAF should find it.