Skip navigation

.rserv wants to connect to cuojshtbohnt.com

27367 Views 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 RSS
1 2 3 ... 16 Previous Next
chadonline Level 1 Level 1 (0 points)
Currently Being Moderated
Mar 31, 2012 3:18 PM

I have the message:

 

.rserv wants to connect to cuojshtbohnt.com

 

what is .rserv?  I googled it and couldn't locate anything ligitimate.

 

thanks

MacBook Pro, Mac OS X (10.6.8)
  • Gregg Luhring Level 1 Level 1 (5 points)
    Currently Being Moderated
    Mar 31, 2012 6:21 PM (in response to chadonline)

    I have the same thing happening. Isn't it odd that it's on the same day? Google it now and every entry is from today, within the last 2 hours.

     

     

    I'll do a text level search of the whole drive and report back if I find something.

     

    GL

  • sthej Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 7:33 PM (in response to chadonline)

    I got this message as well when visiting a website. ".rserv wants to connect to gangstaparadise.rr.nu" and of course denied it.

     

    Is .rserv a process in os x? Did it get downloaded and installed surreptitiously?

  • trungson Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 7:57 PM (in response to chadonline)

    Same here, got it today as well, very suspicious, look like not just me

     

    LittleSnitch blocked it and the process is here:

     

    /Users/Your-User-Name/.rserv

     

    -rwxrwxrwx@   1 trungson  staff   59848 Mar 31 16:38 .rserv

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 8:03 PM (in response to chadonline)

    Who is posting that message?  Little Snitch?  Hands Off?

     

    If .rserv is a process, then in terminal type (copy/paste) the following:

     

    ps ax | grep -i rserv

     

    If you get any output other than a line with grep on it then you will see the pathname to the process.  Then you should know where it is coming from.

  • sthej Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 8:05 PM (in response to X423424X)

    I'm using Little Snitch.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 8:21 PM (in response to sthej)

    So it also tells you the pathname to the process requesting the connection.  Mouse over the "wants to connect" message and a "Show Details" button will appear.  Click it and you will see the pathname ("Established by").  What is that pathname?  Note you can select that pathname in the LS window and copy/paste it to your post.

     

    If it were me I would block it, see if anything critical fails (I doubt it), and if you really decide you need it, unblock it later.

  • sthej Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 8:25 PM (in response to X423424X)

    I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?

  • trungson Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 8:32 PM (in response to X423424X)

    I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm

  • bgw1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 8:38 PM (in response to trungson)

    I had the same experience tonight.  Lil Snitch blocked it.  The guilty application is Splashtop Streamer.  I am going to delete it.

     

    ps ax | grep -i rserv

     

       53   ??  Ss     0:00.05 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceDaemon

      196   ??  S      0:00.06 /Applications/Splashtop Streamer.app/Contents/MacOS/SRServiceAgent

      468 s000  S+     0:00.00 grep -i rserv

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 8:40 PM (in response to sthej)

    sthej wrote:

     

    I just finished reinstalling a time machine backup, so I can't post the pathname. I did block it though before reinstalling. What could it have done? Should I take any further precautions?

     

    I don't know why you reinstalled at all if you blocked it.  If you had looked at the pathname like I described you could have just removed the offending software if it isn't system software.

     

    I also assume that if you blocked it before you reverted your system from the backup it is no longer blocked so you will still get a chance to check the pathname should it occur in the future.  And if you somehow blocked it after reverting the system then open LS and uncheck the checkbox next to the blocking rule so that you get the LS dialog again when a call attempt is made.  Then you can again still get a chance for getting the pathname.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 8:47 PM (in response to trungson)

    trungson wrote:

     

    I renamed and moved it to another location for investigation to it does not try to connect but I'm worry on what it is and what happened. Anywhere I should send it to for fingerprinting/investigation? Look like a virus to me but I don't know why I got infected.. Hmm

     

    It?  You never said what "it" was so I cannot comment one way or another what "it" is.

     

    Is "it" Splashtop Streamer" that bgw1 reported? 

  • trungson Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 8:53 PM (in response to X423424X)

    It is the binary file ".rserv". I do not install any application lately or have "Splashtop Streamer" on my Mac

     

    /Users/trungson/.rserv

     

    -rwxrwxrwx@   1 trungson  staff   59848 Mar 31 16:38 .rserv

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Mar 31, 2012 9:03 PM (in response to trungson)

    /Users/trungson/.rserv

     

    Well it's in your home directory so you could safely remove it.

     

    But post you Accounts login items and also the filenames (if any) in the folder ~/Library/LaunchAgents (also in your home directory). 

  • bgw1 Level 1 Level 1 (0 points)
    Currently Being Moderated
    Mar 31, 2012 9:16 PM (in response to X423424X)

    Little Snitch details:

     

    ".rserv"

    wants to connect to cuojshtbohnt.com on TCP port 80 (http)

     

              IP Address          72.215.225.9

              Reverse DNS Name          ip72-215-225-9.at.at.cox.net

              Established by          /Users/EirUser/.rserv

              User          EirUser (UID: 502)

      Process ID          514

     

    I looked at Process 514 in Activity Monitor.  It was running out of dyld cache.  Unfortunately it terminated while I was checking something else before I could copy the text.

     

    Whois says the IP address is related to one of these:

     

    NS3.THEMADDENSHOME.COM

    NS2.XVIDSPOT.COM

    NS1.XVIDSPOT.COM

    PRODIIS.INTERNETRTI.COM


     


1 2 3 ... 16 Previous Next

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.