For those of you just starting out in *nix security, I ran across a great article that goes over the purpose and use of rootkits by crackers, and some of the most common commands that have been used to trojan a rootshell. It's an older article (1999), but still has some great explanations. It will give you a heads up as to what crackers will likely be attempting to do (if they want to cover their tracks) if they gain access to your system: