Apache2 Backdoor - Apache normally runs one root process, which spawns several other non-root processes, to handle requests. What mod_rootme does is when it loads, it takes advantage of the fact that it’s root for a moment, and spawns a second root Apache process (easy enough to detect for a wary sysadmin). This second Apache process just waits for an appropriate request, and spawns the shell. There’s also a hook that listens to all incoming traffic in place, waiting for the appropriate time to activate the shell. All in all pretty cool, but as noted, it’s reasonably detectable.