This page describes how to check file integrity with debsums using the packages for Debian. If you don't know if your system became compromised and if someone modified the files on disk, you can shut down the system and boot a secure system like a Debian live CD. From there you can use debsums to check if files where modified. You have to do the following steps:

# mount -r -o noexec,nosuid,nodev /dev/sdb /mnt

% grep-dctrl --not -FStatus not-installed -n -s Package \
  /mnt/var/lib/dpkg/status > /tmp/pkgs

% cat > /tmp/apt.conf <<__EOF
// Only needed if arch_of(broken_system) != uname -m
APT::Architecture "amd64";

APT::Get::Download-Only "true";
APT::Get::Reinstall "true";

Dir "/mnt/"
{
  State::status "/mnt/var/lib/dpkg/status";
  Cache "/tmp/new-ar";
};

// the filesystem is read-only, hence we need no root permission to
// run apt-get to get file locks
Debug::NoLocking "true";
__EOF

% mkdir -p /tmp/new-ar/archives/partial
% APT_CONFIG=/tmp/apt.conf apt-get install $(cat /tmp/pkgs)

Remove the architecture, because debsums can't look for a different
architecture than the current. (Only needed if arch_of(broken_system) != uname -m)

% for i in /tmp/new-ar/archives/*amd64*; do mv $i ${i%_amd64*}.deb; done

You have to run debsums as root to get access to all file, e.g. /etc/ssl/priv.

# debsums --all --changed --generate=all --root=/mnt \
  --deb-path=/tmp/new-ar/archives $(cat /tmp/pkgs)