want to know which files in /etc have been changed on your debian-like Linux system?
one part can be done with the package debsums, which compares the md5sums delivered with a debian-package with those of the current files:
$ sudo debsums -a -s
.
.
debsums: checksum mismatch apache2.2-common file /etc/apache2/sites-available/default
debsums: checksum mismatch apache2.2-common file /etc/apache2/ports.conf
.
.
Note 1: this does NOT cover configuration files that are not part of the .deb-package itself, e.g. those manually created by a user AND as well those built by a package’s configuration/post-install scripts. You have been warned!
Note 2: debsums can give hints about a compromised system, but it’s absolutely no guarantee that a non-suspicious output comes from a clean system – if the system’s compromised, an attacker could as well change the md5sums-database of a package (residing in /var/lib/dpkg/info/PKGNAME.md5sums)