Hi first post to the list so be gentle
Did you copy the gzip binary under the gzip name, or under another, and of course, the machine was "possibly infected" at the time? If so, it would tend to indicate a similar situation to what I had, on a non-debian box, where a certain list of binaries were hijacked through ld_preload tricks and uninfected copies were on the file system, but infection wrappers in /proc were run before each one...I checked with md5sum, the binarys differ to other machines who look clean. Very strange: if i ftp the 'gzip' Binary from a clean Machine to the 'infected' it is then changed to the same md5sum that the 'gzip' binary has on the 'infected' Machine.