I have a server that has been hacked and it's running a perl irc bot.
I know the PID but ps gives a forged program name and top shows only perl.
I tried running ps to show child/parent relationships but that program shows no parent.
lsoff shows only dependend libraries that perl opened, netstat -antlp shows the forged program name.
/proc/$PID shows only perl and nothing relevant.
Any ideas on how to find it? I searched for all possible queries on google but I'm running out of ideas.
clamav doesn't detect anything.