Check integrity of Debian system after possible rootkit?

debsums, but it will only check files installed by packages, it can't tell you about extra files.

When a system is compromised you're never sure if everything was cleaned and the best solution is always to reinstall the system, but you need to do some forensics to prevent that from happening again.

chkrootkit and rkhunter are good rootkit checkers but they're not infalible.

Also, run nmap from an outside machine and see if there's some port opened that you're not expecting.

debsums is also a good help when checking for compromised binaries.

And do you have any ideas how the hacker got access to the machine and which service was vulnerable? Focus especially there (but not only there). See if there are known issues with that software version. Check for every possible log you have in your filesystem. If you have a mrtg trending application (like ganglia, munin or cacti) check it for possible time frames of the attack.

You should also review your machine considering the following topics:

• shut the services you don't need

• test backup on a regular basis

• follow the least privilege principle

• have your services updated, especially regarding security updates

• don't use default credentials