AVS Forum banner

Status
Not open for further replies.
1 - 4 of 4 Posts

·
Registered
Joined
·
2,028 Posts
Discussion Starter #1
I had an FTP running for HDTV work and experimentation and I found this file on my computer. It was an active server script according to it's extention. Can anyone tell if it's dangerous. To me it just appears to be reporting drive name and size and type info but not transfering any data.


Also on the FTP directory I found a .pif file or somesuch with the text "testtesttest" repeated about 50 times in it. Looks like someone was able to upload a program and execute it on my machine remotely. That has me a bit more concerned. I thought all FTP servers had remote execution turned off. Especially Win 2000 FTP servers.


Anyway, here is the script:


For each d in drv

If d.Driveletter <> "A" Then

If d.IsReady = True Then

freespace = (d.AvailableSpace / 1024)

free = (freespace / 1024)

totalspace = (d.TotalSize / 1024)

total = (totalspace / 1024)

Response.Write "<tr><td nowrap><font face=arial size=2><A href='dirwalkR.asp?id="& d.DriveLetter &"'>"& d.DriveLetter &"</a></td>"

If d.DriveType = 3 Then

dtype = "Network"

If d.ShareName = "" Then

dname = " "

Else

dname = d.ShareName

End If

ElseIf d.DriveType = 0 Then

dtype = "Unknown"

If d.VolumeName = "" Then

dname = " "

Else

dname = d.VolumeName

End If

ElseIf d.DriveType = 1 Then

dtype = "Removeable"

If d.VolumeName = "" Then

dname = " "

Else

dname = d.VolumeName

End If

ElseIf d.DriveType = 2 Then

dtype = "Fixed"

If d.VolumeName = "" Then

dname = " "

Else

dname = d.VolumeName

End If

ElseIf d.DriveType = 4 Then

dtype = "CD-Rom"

If d.VolumeName = "" Then

dname = " "

Else

dname = d.VolumeName

End If

ElseIf d.DriveType = 5 Then

dtype = "RAM Disk"

If d.VolumeName = "" Then

dname = " "

Else

dname = d.VolumeName

End If

End If

Response.Write "<td nowrap><font face=arial size=2>"& dtype &"</td><td nowrap><font face=arial size=2>"& dname &"</td><td nowrap><font face=arial size=2>"& Round(total,1) &" <font size=1>Megabytes</td><td nowrap><font face=arial size=2>"& Round(free,1) &" <font size=1>Megabytes</td><td nowrap><font face=arial size=2>"& d.FileSystem &"</td><td nowrap><font face=arial size=2>"& d.SerialNumber &"</td></tr>"

Else

Response.Write "<td nowrap><font face=arial size=2>"& d.DriveLetter &"</td><td colspan=6><font face=arial size=2>Drive not ready</td></tr>"

End If

End If

Next

Response.Write "</table>"

Response.Write "</body></html>"

%>



Tim
 

·
Registered
Joined
·
94 Posts
Wrong Assessment....


It actually looks to me alot like Windows Web View. This is a file windows puts in all folders so that users can have custom webviews per folder.


If you select, Show Web Content, this file is used as the form of the web content.


---------------

So more than likely, what happened is the remote pc was running Win 9X and using Internet Explorer 5+, with the SHOW REMOTE FOLDERS LIKE LOCAL FOLDERS (or some option like that) turned on. When, it accessed the remote FTP, it made it a local folder, and since it had write access, it put in it's basic webview template.

------------------

So, in estimation, you are your own hacker....hahahaha. I could be wrong though?


 

·
Registered
Joined
·
664 Posts
Quote:
Next

Response.Write "</table>"

Response.Write "</body></html>"

%>
Looks to me like server-side ASP code. (Note the "%>"). I don't see anything malicious about this file in particular, except that it would report all of your system's drive information to the viewer.


After doing a little searching on the web, that code is a sample file from this library:

http://demo.softartisans.com/demos/F...es/default.asp


Doesn't really answer why it was uploaded to your machine. Maybe it was just junk the hacker had lying around in his temp dir or something.


[This message has been edited by DJRobX (edited 05-21-2001).]
 

·
Registered
Joined
·
2,028 Posts
Discussion Starter #4
Thanx you two. That puts my mind at rest a little. Maybe I will turn the ftp back on in a day or so. It didn't look evil but I wasn't sure if anyone could do anything with the information it was generating.


Tim
 
1 - 4 of 4 Posts
Status
Not open for further replies.
Top