Last month I wrote a program that wraps around the Perl executable, and all it does it copy files given to Perl, and then passes on control to Perl. I did this because we at The Office kept running into sript kiddie Perl scripts consuming resources on our servers.
Checking the process wouldn't reveal much—they always start in /tmp and would be owned by the web server process, so we knew how they were coming in, just not where (i.e. which site was exploited). Worse, these scripts would be started up, then deleted once running, so viewing said scripts was impossible.
Thus, by wrapping the Perl executable to record as much information about each running script as possible, we could gather information about how they might be getting in.
And tonight, we finally caught one! And better still—we know which site was exploited!
Now, begins the process of finding out which PHP script (sigh—it figures) is poorly written.
Oh, by the way, Happy Easter!