You can make a difference in the Apple Support Community!
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.
I have the message:
.rserv wants to connect to cuojshtbohnt.com
what is .rserv? I googled it and couldn't locate anything ligitimate.
thanks
MacBook Pro, Mac OS X (10.6.8)
I have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.
😮
I'll do a text level search of the whole drive and report back if I find something.
GL
... This in effect will inject binary2 into every application launched by the infected user. ...
Means every application is infected? Even after deleting the files according to f.secure?
The malware then creates a launch point by creating "~/.MacOSX/environment.plist", containing the following lines:
<key>DYLD_INSERT_LIBRARIES</key>
<string>/Users/Shared/.libgmalloc.dylib</string>
For some reason I didn't had a environment.plist even if I'm infection type 2
Matt Durben wrote:
... This in effect will inject binary2 into every application launched by the infected user. ...
Means every application is infected? Even after deleting the files according to f.secure?
No, it injects the code into RAM after the app is launched, not onto the hard drive.
Matt Durben wrote:
The malware then creates a launch point by creating "~/.MacOSX/environment.plist", containing the following lines:
<key>DYLD_INSERT_LIBRARIES</key>
<string>/Users/Shared/.libgmalloc.dylib</string>For some reason I didn't had a environment.plist even if I'm infection type 2
One of us is confused. In this entry Re: .rserv wants to connect to cuojshtbohnt.com you told us you did have it.
I haven't had the ~/.MacOSX/environment.plist
Matt Durben wrote:
1. I thought Creation Date: 03-apr-2012 means first registered date ever. And there's no history but this entry.
2. Does the trojan itself changes the url it connects to? Or does it come with one fixed url?
Three domains names that I mention before, registered by us. This helped us to estimate size of botnet.
Each subversion of BackDoor.Flashback.39 generates a list of C&C servers (about 50-60). We registered first server in list. Here second server according to subversion:
1 - vxvhwcixcxqxd.net
2 - cuojshtbohnt.net
4 - rfffnahfiywyd.net
LysaM, it's not registered yet.
Matt Durben wrote:
I haven't had the ~/.MacOSX/environment.plist
Then how were you able to read it?
Matt Durben wrote:
defaults read ~/.MacOSX/environment
{
"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.libgmalloc.dylib";
}
means I'm infected?
There's a 406kB .libgmalloc.dylib in the specified folder.
What exatly does this trojan? Unfortunately I installed Little Snitch few days after a strange program wants to have my password to install something. I declined, but from what I read that does not matter?!
It had to have been there at the time.
Ah,
defaults read ~/.MacOSX/environment
{
"DYLD_INSERT_LIBRARIES" = "/Users/Shared/.libgmalloc.dylib";
}
was a Quote from f-secure
New JAVA update from Apple released today... Check software updates!
foodguylargo wrote:
New JAVA update from Apple released today... Check software updates!
That's yesterday's news, right?
I don't know if he's out of date, or if that means 2 updates already. Someone please confirm.
I'm sure we are all glad that so many folks with Little Snitch survived the attacks this weekend and that Apple has closed one of the doors on this thing, but for anybody that still feels this was no big deal, according to this article http://news.cnet.com/8301-1009_3-57409619-83/ there are still over half a million Macs still Flashback infected (including 274 just down the street from where I sit), so I suspect our work has only begun here.
Mad, I've asked you this in the Leopard forum already, so sorry for the duplication. Do you know if ClamX has got this thing covered, at least for the known variants through yesterday or the day before, perhaps?
I've got my son a bit worried now. I gave him all the places I know about to check and he comes up clean, but I may not know them all, so thought it might be wise to run an AV.
If not, do you know -- or anyone else, maybe -- if Intego's VirusBarrier X6, the demo version, will scan properly for this? I know they are claiming the full version, at least, can.
Well, I wasn't going to reinstall my system, but now I'm seeing this "music manager" window pop up/under. It comes up for about 5 seconds and disappears. The window looks like a recently downloaded app window with Google's music manager. I do have music manager installed, but I downloaded that a long time ago. This has been a little frustrating to say the least.
Just got hit with this today.
Found ~/.rserv trying to make connections to various urls.
Apparently launched by:
feynmanliang@vlan409-128: ~/Library/LaunchAgents
$ l [17:19:17]
total 40
drwx------ 12 feynmanliang staff 408 Apr 5 11:49 ./
drwx------+ 58 feynmanliang staff 1972 Apr 5 13:16 ../
-rw-r--r-- 1 feynmanliang staff 497 Mar 30 19:38 com.adobe.reader.plist
...
com.adobe.reader.plist in user launchagents directory.
.rserv wants to connect to cuojshtbohnt.com
