Application Level Compromise

When investigating a server it is EXTREMELY important to note the processes running on the device.
A lot of application level compromises end up with a perl process masquerading as other processes.

The best thing to do is give you an example:

 # cat /tmp/example.pl 

#!/usr/bin/perl

$0 = "FakeApache";

sleep(60);

We could then run this script as a different user:

[root@lll-new ~]# sudo -i -u LLL perl /tmp/example.pl &
[1] 29923
As you can see from the output below, if we simply named it “apache” instead of “FakeApache”, you would be hard presses to notice this being out of place:
[root@lll-new ~]# ps aux | grep Fake
LLL      29924  0.0  0.0 129712  1840 pts/0    S    12:52   0:00 FakeApache


You can check the PID of the process and it's exe location to find out if it's suspicious or not. This “apache” process should have a binary location with apache in the name, NOT perl:
[root@lll-new ~]# ll /proc/29923/exe 
lrwxrwxrwx. 1 LLL LLL 0 Oct 12 12:55 /proc/29923/exe -> /usr/bin/perl
[root@lll-new ~]#