Use RPM to search for modified binaries.
rpm -Va | grep ^..5
This one-liner will use the RPM database to compare md5sums of all installed files and will give you a report of all files that have been changed from the default install. Configuration files may not be a big deal, but binaries with md5sums that don’t match is a dead give away of a compromised system.
jtdub October 13, 2012