=== Application Level Compromise ===
When investigating a server it is EXTREMELY important to note the processes running on the device. \\
A lot of application level compromises end up with a perl process masquerading as other processes. \\
\\
The best thing to do is give you an example:
<sxh bash> # cat /tmp/example.pl </sxh>
<code>
#!/usr/bin/perl

$0 = "FakeApache";

sleep(60);
</code>
We could then run this script as a different user:
<sxh bash>
[root@lll-new ~]# sudo -i -u LLL perl /tmp/example.pl &
[1] 29923
</sxh>
As you can see from the output below, if we simply named it "apache" instead of "FakeApache", you would be hard presses to notice this being out of place:
<sxh bash>
[root@lll-new ~]# ps aux | grep Fake
LLL      29924  0.0  0.0 129712  1840 pts/0    S    12:52   0:00 FakeApache
</sxh>
\\
\\
You can check the PID of the process and it's exe location to find out if it's suspicious or not. This "apache" process should have a binary location with apache in the name, NOT perl:
<sxh bash>
[root@lll-new ~]# ll /proc/29923/exe 
lrwxrwxrwx. 1 LLL LLL 0 Oct 12 12:55 /proc/29923/exe -> /usr/bin/perl
[root@lll-new ~]# 
</sxh>