Be warned that even 20 years ago when I was doing research on this stuff, that it was standard procedure to exploit the kernel. This included things like read or stat showing a valid file, but exec would run an exploited file. It also allowed hidden directories and files. So you couldn't find a sub directory with ls, but you could cd into it.
So you really have to boot from trusted media with a trusted kernel and no untrusted modules to be sure what you are seeing. Generally this involves rebooting onto trusted readonly media, doing a scan, then rebooting back into production. The HOWTO mentioned finding an unused kernel module like floppy.ko and replacing it with a malicious payload and ensuring it loaded on boot.
Also keep in mind that attackers are well aware of tripwire and some attack kits I saw specifically looked for tripwire like approaches and would hook into the update the checksums process after patching so their exploited binaries would look just like valid binaries.
So you really have to boot from trusted media with a trusted kernel and no untrusted modules to be sure what you are seeing. Generally this involves rebooting onto trusted readonly media, doing a scan, then rebooting back into production. The HOWTO mentioned finding an unused kernel module like floppy.ko and replacing it with a malicious payload and ensuring it loaded on boot.
Also keep in mind that attackers are well aware of tripwire and some attack kits I saw specifically looked for tripwire like approaches and would hook into the update the checksums process after patching so their exploited binaries would look just like valid binaries.