I have the message:
.rserv wants to connect to cuojshtbohnt.com
what is .rserv? I googled it and couldn't locate anything ligitimate.
thanks
MacBook Pro, Mac OS X (10.6.8)
I have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.
😮
I'll do a text level search of the whole drive and report back if I find something.
GL
Overabundance of caution I guess... Any ideas on what is going on here?
bgw1 wrote:
Little Snitch details:
".rserv"
wants to connect to cuojshtbohnt.com on TCP port 80 (http)
IP Address 72.215.225.9
Reverse DNS Name ip72-215-225-9.at.at.cox.net
Established by /Users/EirUser/.rserv
User EirUser (UID: 502)
Process ID 514
Same question to you. Post your login items and ~/Library/LaunchAgents.
By the way, about that Splashtop Streamer. I downloaded it and did some analysis. It installs much more than just the app. It has uninstaller applescripts in the installer so I assume that if you run that Splashtop Streamer app it will give an option somewhere to uninstall itself. Use that instead of just dragging the app to the trash.
I stand corrected. You are right. I will wait for this puppy to try again and run ps (3 times tonight) while it is active.
bgw1 wrote:
Established by /Users/EirUser/.rserv
User EirUser (UID: 502)
Process ID 514
I looked at Process 514 in Activity Monitor. It was running out of dyld cache.
If this isn't malware, I'll eat my hat!
And it shouldn't surprise me if this was yet another strain of the Flashback Trojan Horse. The question is, what is executing it?
X423424X is on the right track, asking you to look in <~/Library/LaunchAgents/> and in Login items. Do also
defaults read ~/.MacOSX/environment
fane_j wrote:
This is definitely worth digging into. I find the process name ".rserv" extremely suspicious because it begins with a dot. The two sites mentioned as trying to link to are also extremely suspicious. You need to get its full information, including path, from Little Snitch. Also, use Find File or Find Any File and search your whole hard drive for any file containing the string "rserv". A file name like ".rserv" would hide it from the casual user, which makes it even more suspicious, but both FF and FAF should find it.
Why do you think I'm sticking with this? 😉
And yes Splashtop Streamer has nothing to do with the .rserv process. It's nowhere to be found in that code.
And yes, my post about how Splashtop Streamer should be uninstalled talked about using an uninstaller and not just trashing the app. According to the uninstall applescript (fortunately it wasn't compiled applescript) that app sprays stuff into /System/Library/Extensions, /Library/LaunchAgents, /Library/LaunchDaemons, and a bunch of other places.
Update (we're overlapping posts here):
environment.plist was coming next but I just want to see what the login items and launchagents are first.
If this is another trojan variant then this is either a new kind or no one has run with Little Snitch installed up till now. But I had read that earlier variants aborted their code injection if they detected little snitch (among some other stuff). It would be a pretty dumb trojan to install a process that calls home knowing full well Little Snitch would jump all over it. But still it peaked my curiousity!
macbook-2:~ trungson$ grep -r 'rserv' ~/Library/LaunchAgents/
/Users/trungson/Library/LaunchAgents/com.adobe.reader.plist:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/trungson/.rserv</string></array><key>RunA tLoad</key><true/><key>StartInterval</key><integer>4212</integer><key>StandardEr rorPath</key><string>/dev/null</string><key>StandardOutPath</key><string>/dev/nu ll</string></dict></plist>
Is it really Adobe Reader (I do have Adobe Reader 10.1.2) but I don't think Adobe would connect to those suspicious domains. Or maybe a malware posing as Adobe, or a corrupted PDF file caused this? I still have the binary renamed and moved so I can send to a virus researcher if needed, or someone from Adobe
In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop.
com.splashtop.streamer.SRServiceAgent.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Label</key>
<string>com.splashtop.streamer.SRServiceAgent</string>
<key>Program</key>
<string>/Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent</string>
<key>KeepAlive</key>
<true/>
</dict>
</plist>
trungson wrote:
Is it really Adobe Reader (I do have Adobe Reader 10.1.2) but I don't think Adobe would connect to those suspicious domains. Or maybe a malware posing as Adobe, or a corrupted PDF file caused this? I still have the binary renamed and moved so I can send to a virus researcher if needed, or someone from Adobe
Not sure why Adobe Reader would instal a launch agent. I certainly don't have it. So trash it.
Alright, humor me here, just for the sake of completeness, please copy/pase this terminal command:
defaults read ~/.MacOSX/environment
Post the results if you get anything other than a "does not exist" error message.
Update:
Did you download Adobe Reader installer from any place other than the adobe site?
Since LS didn't allow it to connect, do you think that we have anything to worry about?
If you never let it ever connect you're ok.
We had overlapping posts again so I'll repeat:
Did you download Adobe Reader installer from any place other than the adobe site?
Also do that defaults command.
bgw1 wrote:
In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop.
com.splashtop.streamer.SRServiceAgent.plist
Yours is an entirely separate problem and not related to the subject of this thread, i.e., .rserv. I said that the SplashtopStreamer installer installs a whole lot of stuff other than the app and you should try to use, what I assume it has, its uninstall function which is probably part of that SplashtopStreamer application.
Found .rsrv with FAF. 59.9K in size.
"PluginProcess.app downloaded the file on March 30, 2012."
I can make it run. Little Snitch Details:
Terminal via .rserv
wants to connect to cuojshtbohnt.com on TCP port 80 (http)
IP Address 72.215.225.9
Reverse DNS Name ip72-215-225-9.at.at.cox.net
Established by /Users/EirUser/.rserv
Process ID 1296
User EirUser (UID: 502)
Parent Application /Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
Process ID 460
The process 1296 Open Files and Ports:
/Users/EirUser
/Users/EirUser/.rserv
/usr/lib/dyld
/private/var/db/dyld/dyld_shared_cache_x86_64
/dev/ttys000
/dev/ttys000
/dev/ttys000
->0x086a36f0
->0x0802e5c8
count=1, state=0x2
*:*
I'm having trouble handling two parallel threads simultaneously in one thread.
If you only have the SplashtopStreamer in your ~/Library/LaunchAgents I don't know who is spawning yours nor why it is spawned differently from the OP.
Look in your login items and,
/Library/LaunchAgents
/Library/LauncDaemons
/Library/StartupItems
X423424X wrote:
I had read that earlier variants aborted their code injection if they detected little snitch
Yes, that's correct. But my suspicion is that there's more than one person behind this. Also, black hats do have their own watering holes, and they do exchange code and tips. This may be a variant where the code which self-destructs if LS is encountered is not fuctional or stopped by a bug.
There's another possibility. It just occurred to me to look at the date. I hope we haven't been taken in by a hoax.
.rserv wants to connect to cuojshtbohnt.com
