Q: .rserv wants to connect to cuojshtbohnt.com
-
Mar 31, 2012 11:09 PMby fane_j,bgw1 wrote:
There is no Adobe .plist file at the locations you asked about. […]
Did you see my earlier post that I found the .rsvr file, it's 59.9K […]
If the file you found is named ".rsvr", not ".rserv", then, as I believe X423424X said, it could be a different matter. It also could be the same malware, but not necessarily implemented in the same way. We do know that, with this threat, file names vary.
Likewise with the plist. If it's there, the plist itself may be named something else. trungson showed how to look for it with grep. If the malware file is ".rsvr", then it's
$ grep -r 'rsvr' ~/Library/LaunchAgents/
(where $ is your prompt).
-
Mar 31, 2012 11:28 PMby X423424X,fane_j wrote:
The plist has nothing to do with Adobe Reader. The Label key is a unique identifier, required by launchd to keep track of agents. But it can be any string. If launchd's database is case-sensitive, and the Adobe Reader identifier is, as I suspect, com.adobe.Reader, then it's enough.
The CFBundleIdentifier for Adobe reader is indeed com.adobe.Reader.
As to how it was installed… My bet would still be CVE-2011-3544.
Yes, but who installed it? I can't believe it is a apple security update. But since I use 10.6.5 and don't have any security updates beyond that I don't know for sure (10.6.5 because the app store started in 10.6.6 -- another process that calls home without my permission, don't know when, don't know what it sends, possibly can bypass LS during boot time, back to apple, my same paranoiac philosophy).
-
Mar 31, 2012 11:29 PMby bgw1,No, it's one file, .rserv. The other one was a typo once when referring to it.
I ran the grep command and DID get the adobe reader .plist results. There is the reference to .rserv buried right in the middle of it!
Eirs-MacBook:~ EirUser$ grep -r 'rserv' ~/Library/LaunchAgents/
/Users/EirUser/Library/LaunchAgents/com.adobe.reader.plist:<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict><key>Label</key><string>com.adobe.reader</string><key>Progr amArguments</key><array><string>/Users/EirUser/.rserv</string></array><key>RunAtLoad</key><true/><key>StartInterval</key><integer>421 2</integer><key>StandardErrorPath</key><string>/dev/null</string><key>StandardOu tPath</key><string>/dev/null</string></dict></plist>
Eirs-MacBook:~ EirUser$
-
Mar 31, 2012 11:52 PMby bgw1,My apologies. The request was for these three, and they only exist in the top level Library. My answer was for these:
/Library/LaunchAgents
/Library/LauncDaemons
/Library/StartupItems
In addition, I was a little blind-sided because Adobe Reader is not on my machine so I wasn't really looking for that file.
Anyway, after you asked me to grep for .rsev, I did find the Adobe Reader .plist file. I had to go into Onyx to turn on hidden files in order to browse the Usrs /Library and look for the arrival date of the file in Time Machine.
The file showed up on Friday, March 30 according to Time Machine. It was not on the machine before that.
-
Mar 31, 2012 11:58 PMby fane_j,X423424X wrote:
who installed it?
A Java applet would be my guess. As it's in the user's home directory, no special permissions or authentication would be required.
Talking of Java. Everyone, would you check your version
$ java -version
The latest SL should be
java version "1.6.0_29"
in which this vulnerability was supposed to have been fixed.
Also, could you check the Java (not JavaScript, which is a different beast) settings in all your browsers?
In Safari, it's Safari > Preferences > Security > Web Content > Enable Java
-
Apr 1, 2012 12:00 AMby trungson,I found some additional details from "Applications/Utilities/Console" under "All Messages", around the time the file was created. It does look like it's with Java (CVE-2011-3544) as suggested.
3/31/12 4:36:28 PM firefox[189] Process manager already initialized -- can't fully enable headless mode. 3/31/12 4:36:40 PM Firewall[77] java is listening from ::ffff:0.0.0.0:0 proto=6 3/31/12 4:38:27 PM com.apple.launchd.peruser.501[105] (com.adobe.reader[3712]) Exited with exit code: 1 I have Mac 10.6.8, Java is from Apple 1.6.0_29 (don't think I can upgrade to 1.7 since it's Apple's Java). I just disabled Java in the browsers (Firefox, Chrome, Safari) but still don't know where I got infected from and if it accessed/downloaded anything and how to really fix this.
-
Apr 1, 2012 12:05 AMby X423424X,bgw1 wrote:
My apologies. The request was for these three, and they only exist in the top level Library. My answer was for these:
The link I pointed ( again) at in my above post explicitly said right at the beginning:
In ~/Library/LaunchAgents/, there is only Little Snitch and Splashtop.
At any rate trash the thing and be done with it. Or leave it in or block or not block with Little Snitch. Your decision.
Personally, I would trash it.
-
Apr 1, 2012 12:10 AMby bgw1,Seems to be the right version.
Eirs-MacBook:~ EirUser$ java -version
java version "1.6.0_29"
Java(TM) SE Runtime Environment (build 1.6.0_29-b11-402-11D50b)
Java HotSpot(TM) 64-Bit Server VM (build 20.4-b02-402, mixed mode)
Eirs-MacBook:~ EirUser$
It is enabled in Safari Preferences.
What about Chrome?
-
Apr 1, 2012 12:34 AMby fane_j,trungson wrote:
I found some additional details from "Applications/Utilities/Console" under "All Messages", around the time the file was created. […]
I have Mac 10.6.8, Java is from Apple 1.6.0_29 […]
Good work, but bad news. CVE-2011-3544 was supposed to have been fixed after update 27, so either it hasn't been really fixed, or they use another vulnerability. IMHO, that's serious stuff, and I'm considering whether or not I should remove Java altogether.
bgw1 wrote:
It is enabled in Safari Preferences.
What about Chrome?
Disable it in Safari right away. I don't know about Chrome, but check this
<http://www.maclife.com/article/howtos/how_disable_java_your_mac_web_browser>
