Bizarre File Keeps Appearing In Home Directory

Every once in a while, a file called C:
ppdf32Log\debuglog.txt appears in my home directory.
Yes, it is called like that. This obviously looks like something trying to write to a Windows
path. Is it a security compromise?

The machine is running OpenSUSE 12.1 64-bits will all updates applied.

Thanks in advance!

idanan wrote:
> Every once in a while, a file called C:
ppdf32Log\debuglog.txt appears
> in my home directory.
> Yes, it is called like that. This obviously looks like something trying
> to write to a Windows
> path. Is it a security compromise?
>
> The machine is running OpenSUSE 12.1 64-bits will all updates applied.
>
> Thanks in advance!

If you had typed nppdf32Log into google, it would have told you that its
Acrobat Reader’s fault. Why am I not surprised?

Thanks! Now I feel silly. I typed it but think I must have missed a ‘P’ and got nothing. Guess I can stop being paranoid about this file though.

I think I also found it in /root
!

On 2012-04-27 19:56, caf4926 wrote:
>
> I think I also found it in /root
> !

I have it in my home, not in root (yet). I deleted it.
Funny!


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

caf4926 wrote:
> I think I also found it in /root
> !

Hmm, the obvious wild guess is - who’s been running Adobe Reader as root
then?

Apologies if I’ve just insulted you :slight_smile:

No
Never

Strange for sure

Someone filed a bug for it: https://bugzilla.novell.com/show_bug.cgi?id=757393

On 04/30/2012 11:34 AM, Dave Howorth wrote:
> caf4926 wrote:
>> I think I also found it in /root
>> !
>
> Hmm, the obvious wild guess is - who’s been running Adobe Reader as root
> then?

it was a good guess Dave, but i while i don’t know about ‘idanan’ i can
assure you that i’ve never run any Adobe exec as root, and today (when
i check) i’m surprised to see:


_@linux-os114:~> locate nppdf32Log
/C:
ppdf32Log\debuglog.txt
/home/_/Documents/C:
ppdf32Log\debuglog.txt
_@linux-os114:~>

so ??

Here it is
Actually it’s just /

SUSE Paste

On 2012-04-30 15:00, @no-mx.forums.opensuse.org wrote:

> so ??

Who are you? :slight_smile:

I guess you are using nntp gateway first time, but you forgot to put your
alias in front of “@no-mx.forums.opensuse.org

Re your problem, obviously, some part of acrobat or the calling app is
running as root.

One way to impede this could be to jail acroread with apparmour.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 04/30/2012 03:28 PM, Carlos E. R. wrote:
> One way to impede this could be to jail acroread with apparmour.

or write a bug to Adobe…like that would help!

[btw: can now confirm that TBird v12.0 is born without the ability to
delete usenet posts, but the fix is known,
http://ilias.ca/blog/2011/07/deleting-individual-newsgroup-messages-in-thunderbird/]
and therefore my just previous post has been deleted from the nntp server.

caf4926 wrote:
> Here it is
> Actually it’s just /
>
> ‘SUSE Paste’ (http://paste.opensuse.org/41754256)

That’s a bit worrying. It shouldn’t be able to write there. If it can,
then so can something even more evil. So it’s probably worth trying to
track down exactly what’s happened.

> It shouldn’t be able to write there. If it can, then so can something even more evil.

my reading of <https://bugzilla.novell.com/show_bug.cgi?id=757393>
leads me to conclude the / entry occurred during an update of acroread
(updates being performed by root, it can write its ‘logs’ wherever it
wishes)…

imho THAT door needs to be closed…
[else someone will use it to load a rootkit!]

On 2012-04-30 15:45, @no-mx.forums.opensuse.org wrote:

Please, add a name. I have no idea who I’m talking to.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)