The Quick and Dirty Personal ScanA common technique used by some malware authors is to replace a normal system binary with one that takes additional or alternative actions. Many of them try to protect themselves by making their corrupted versions immutable in an attempt to make the infection harder to remove. Fortunately, this leaves traces behind that can be picked up by normal system tools.
Use the lsattr command to display the attributes of your system’s binary files in locations such as /bin, /sbin, and /usr/bin, as shown here.
Normal, non-suspicious output should look something like this.
You may need root privileges to scan some places like /sbin. If the output contains other attributes like s, i, or a, that could possibly be a sign that something is
wrong, and you may wish to try a deeper scan as shown below.
To read about CHKrootkit and rootkit hunter
Read further on this website
sudo chkrootkit > mylogfile.txt
sudo rkhunter -c
Yes, so to help clean these up, as root you'll need to remove those s, i, or a attributes with:
root-shell# chattr -sia /usr/bin/whatever
Once those attributes have been removed (note, read about the attributes first and make sure the other tools warn you! /usr/bin/X11/ for example may intentionally have these set), you can once again manipulate those files to edit, delete, or whatever.
So then you have incorrect/compromised binaries? On a Debian system you can get older packages to manually download (wget http://...) and install (dpkg -i ___.deb) from http://snapshot.debian.org/