For those of you just starting out in *nix security, I ran across a great article that goes over the purpose and use of rootkits by crackers, and some of the most common commands that have been used to trojan a rootshell. It's an older article (1999), but still has some great explanations. It will give you a heads up as to what crackers will likely be attempting to do (if they want to cover their tracks) if they gain access to your system:
Pretty good article. Sadly I had to learn this information the hard way. When someone hacked an exploitables version of openssh on my system and installed a rootkit to hide the fact. Luckily he didn't clean the .bash_history file so I just tracked the commands and found all the files and logs used. A good reason to not only check your syslog (messages on linux) but also check your history file routinely.