a workmade of mine is now on the box.
this is /usr/bin/chattr


looks like we got a lot of work.

Hi,
That's indeed bad news.

A very optimistic look would be: Only chattr was replaced by another command, which could be replaced by a working version (remove the existing chattr and reinstall using your distro's tools). But like I stated before: Who knows what else was compromised........

I do hope you have an idea how your box was compromised and are able to make sure that doesn't happen again.

Good luck fixing/reinstalling your box!

I hope you have an idea when it was compromised as well. Ie how far back to go to get clean data. BTW this only means user data; get a fresh OS install ready.
I know over in the Security Forum they prefer it if you try to analyse the problem before re-install, but if chattr has been compromised, I'd assume a lot else has been as well.
If you've got the time and inclination & expertise, make a dd copy of the relevant parts for later examination.
After that, you're best off doing a fresh install; there's no way to guarantee a clean fix otherwise.
However, do figure out how they got in before you re-install, otherwise it'll happen again(!)