Recently, on a server of mine a hacker replaced the ssh and sshd binaries.
Contrary to my expectations, this was not flagged by rkhunter during the 'file properties' check.
I believe this is because ssh and sshd are not included in the PROP_FILE_LIST list of files whose attributes are stored and verified by rkhunter.
I imagine that the replacement versions were modified to transmit submitted passwords to the hacker, and that this would be a common hacker tactic.
As such, I would request that both ssh and sshd be added to the PROP_FILE_LIST list.