There are a number of packages available that can take a "snapshot" of
your whole filesystem and compare it to earlier snapshots to see what has
changed. If you can clearly define which files should change as
part of the normal operation of your system, these packages can very
quickly alert you to the presence and activity of a hacker.
Tripwire is one of the most popular of these intrusion detection
packages (see Resources at the end of this tutorial for a link). Once you have installed tripwire,
you must customize its configuration file so that it knows which files
should change and which should not. You will also need to tell it how
to send you reports of what has changed, and how often it should run (usually
once per day).