Skip navigation

.rserv wants to connect to cuojshtbohnt.com

27361 Views 227 Replies Latest reply: Apr 12, 2012 8:53 PM by MadMacs0 RSS
  • MadMacs0 Level 4 Level 4 (3,350 points)
    Currently Being Moderated
    Apr 8, 2012 5:35 PM (in response to dhnyprod)

    dhnyprod wrote:

     

    Use program free program Easyfind Version 4.8.2 (4.8.2) will find and delete.

    Sorry, but I don't know what entry of mine you are responding to. That's where the quote thing comes in handy.

     

    Certainly Easyfind and Find Any File are capable of doing that if you know what you are looking for, but the problem is there are too many possibilities these days.

  • etresoft Level 7 Level 7 (23,915 points)
    Currently Being Moderated
    Apr 8, 2012 6:48 PM (in response to MadMacs0)

    MadMacs0 wrote:

     

    etresoft wrote:

     

    Here is what a reputable anti-virus company says about the situation: http://www.symantec.com/security_response/writeup.jsp?docid=2011-093016-1216-99

    Not sure why you find Symantec any more reputable, but I'll accept it as a data point. Be interesting to know if they have changed any of the numbers since September.

    My first compiler was Symantec's THINK Pascal back in 1987. It could do things even Xcode can't do today. They have been around for a long time. Kaspersky and Dr.Web are trying to use sensational reports to drum up new business. Symantec already has most of that business and has for many years. Their consumer-grade Norton products have a bad reputation, but their enterprise anti-virus software is very good. I have it on my work machine (although not by choice). So yes, I trust them more than Dr. Web.

  • lytic Level 1 Level 1 (5 points)
    Currently Being Moderated
    Apr 9, 2012 2:07 AM (in response to WZZZ)

    WZZZ wrote:

     

    Has anyone determined what mkeeper (MacKeeper) and com.zeobit (MacKeeper developer) are doing here?

    There is one subversion of BackDoor.Flashback.39 which disguised as MacKeeper.

  • lytic Level 1 Level 1 (5 points)
    Currently Being Moderated
    Apr 9, 2012 2:13 AM (in response to MadMacs0)

    MadMacs0 wrote:

     

    lytic wrote:

     

    Submit your Mac UUID to this Express-check form.

    Doctor Web will check if there was a connection from your computer to the botnet control server.

    First I wanted to pass on my thanks for providing this service to the Mac Community. It should prove to be very useful. But I do want to also make some observations concerning feedback I'm getting on this site. Sorry to do so in such a public manner, but I don't know any other way of communicating with you.

     

    I've had a couple of users get back to me saying that you did not find them in your database therefore they were clean and going about business as usual. If I understand the methodology you used correctly then your database may contain as little as 5% of the 600,000 you estimated were infected at the time. If that is correct I think you need to add emphasis on the site that users who are not identified in your database need to take further steps to check, such as downloading Dr.Mac Light.

     

    Next, some of are paranoid about entering identity information on any site for any reason. Nowhere on the web site is there a link to your priavcy policy explaining to us what you will do with this information. Not a complete solution, but much better than nothing.

     

    Also, it doesn't comfort us to find that the url given is not https: (i.e. using SSL) so our UUID is being broadcast to over the internet in the clear. I'm not aware of any way that such information can be exploited (other than what's currently going on with Flashback), nvertheless it's still identity information and sooner or later somebody will figure it out.

     

    And when I attempt to force SSL I get this:

    Picture 2.png

    So if you can persuade the powers that be to update the site you'll turn a good service into a great one, IMHO.

    Thanks for your advice! We don't have much time in last week. We will try to make the service better.

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 9:04 PM (in response to chadonline)

    If you elect to block it with little snitch then block "Any connection", forever.  But it is better to just delete the app entirely.  In terminal:

     

    rm -rf ~/.resrv

     

    You should also delete the launch agent in your Library/LaunchAgents.  But this thread has gone on so long I don't remember which launchagent that was at this point.  If it wasn't mentioned (not going back 15 pages to find out) then copy/paste this in the terminal:

     

    grep "/Users/$USER/\..*" ~/Library/LaunchAgents/* | grep -v "/Users/$USER/\.Trash"

     

    It will tell you which launch agent it is.  The output should reference /Users/chadonline/.resrv.

     

    Once you delete the launch agent, log out and back in.  Then all this .resrv stuff will be history and you don't have to have the Little Snitch rule.

  • MadMacs0 Level 4 Level 4 (3,350 points)
    Currently Being Moderated
    Apr 9, 2012 9:13 PM (in response to chadonline)

    chadonline wrote:

     

    If I understand correctly ".rserv" is a malware and should be blocked connecting to the websites? am I correct?

     

    I tried to kill these process IDs for .rserv but they change and I can't get the correct ones. I also attached three screen shots which shows the websites it wants to connect (sites vary everyday)

    Thanks for posting those as it verifies my latest theory that the process contacts a variety of servers either in rotation or at random. Also note that the IP's might even be the actual bad guys.

     

    Waded back and found the LaunchAgent...it's "com.adobe.reader" with a lower case "R".

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 9, 2012 10:03 PM (in response to MadMacs0)

    Thanks for hunting that down.  Ok, so chadonline, here's both delete's to remove this stuff:

     

    rm -rf ~/.resrv

    rm -rf ~/Library/LaunchAgents/com.adobe.reader

     

    Again, remember to logout and log back in after deleting the launch agent.

  • easthollow Calculating status...
    Currently Being Moderated
    Apr 10, 2012 3:21 PM (in response to X423424X)

    I don't see how having this value means I'm infected:

    [mac]$ defaults read ~/.MacOSX/environment

    {

       PATH = "/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/X11/bin:/opt/local/bin:/usr/ local/git/bin";

    }

    seems to be just a path variable...

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 10, 2012 3:49 PM (in response to easthollow)

    Whoever said having that implied you were infected?

     

    By any chance do you use BBEdit?  I just read that BBEdit utilized the environment.plist machinery (but I don't have later BBEdit's so I cannot verify that).  It is not a torjan.  They use it for their own purposes.

     

    That path lists includes a reference to git.  So are you using some git package?  Again it a "legal" use environment.plist for its purposes too.

     

    Of course if you cannot explain who created that path list I would remove it.  May not be trojan related but personally I don't like unexplained stuff install into my system and would just remove it.  See what breaks.  And then if I decide that was the cause, put it back if I really want whatever broke to work again.  That's a general statement.  I definitely don't want something else messing with the $PATH that I set up in my own shell environment.

     

    These are rare instances (well maybe not so rare if BBEdit is actually doing this).  For the vast majority of users there is no ~/.MacOSX directory so that publicized defaults read is "good enough".  Heck, that seemed to be a fairly unknown mechanism until all this trojan stuff occurred.  Now I guess everyone knows about it.

  • easthollow Level 1 Level 1 (0 points)
    Currently Being Moderated
    Apr 10, 2012 3:57 PM (in response to X423424X)

    I believe you said that, here:

    https://discussions.apple.com/message/18053802?ac_cid=142432#18053802

    For the two defaults command if you get anything other than a "does not exist" error message post the results since you are almost certainly infected.

    Perhaps I misread what you meant?

  • X423424X Level 6 Level 6 (14,190 points)
    Currently Being Moderated
    Apr 10, 2012 4:08 PM (in response to easthollow)

    You didn't misread it.  But see my last paragraph in my previous post.  It's hard to describe a  set of instructions that doesn't turn everyone off from trying and summarize the general results briefly.  Those cover the majority of users.  There's always exceptions.  That's what followup posts like yours are for.  I really didn't want to clutter up the general results with possible exceptions.

     

    Oh, in that line you quoted, I did say "almost"!

  • fane_j Level 4 Level 4 (3,655 points)
    Currently Being Moderated
    Apr 10, 2012 4:15 PM (in response to X423424X)

    easthollow wrote:

     

    I don't see how having this value means I'm infected:

    You're not. The presence of <~/.MacOSX/enviroment.plist> is not an indication of infection, only the presence of the DYLD_INSERT_LIBRARIES key in this file is an indication of infection. Note again, that the presence of this key in another file is also not necessarily an indication of infection. But the key is primarily designed for testing, so it shouldn't be present in the config file of a finished app like Safari or Chrome.

    X423424X wrote:

     

    personally I don't like unexplained stuff install into my system

    My feelings exactly. I would do as X423424X suggests, unless you know already what requires it.

    that seemed to be a fairly unknown mechanism until all this trojan stuff occurred.

    Well, it was not unknown to those who needed it. It's even had a GUI for quite a while now

     

    <http://www.rubicode.com/Software/RCEnvironment/>

     

    It's the only way to set per-user environment variables for GUI apps.

  • WZZZ Level 6 Level 6 (11,900 points)
    Currently Being Moderated
    Apr 11, 2012 5:27 AM (in response to WZZZ)

    Apple develops tool to 'detect and remove' Flashback Trojan

    http://www.bbc.co.uk/news/technology-17675314

Actions

More Like This

  • Retrieving data ...

Bookmarked By (3)

Legend

  • This solved my question - 10 points
  • This helped me - 5 points
This site contains user submitted content, comments and opinions and is for informational purposes only. Apple disclaims any and all liability for the acts, omissions and conduct of any third parties in connection with or related to your use of the site. All postings and use of the content on this site are subject to the Apple Support Communities Terms of Use.