Well, most rootkits, alter /bin/ps, /bin/netstat, /bin/ls .... they have a file for hidden processes, a file for hidden files...
Usualy, those files are in /dev/ (like in lrk[3-6]) but they can be anywhere else (tornkit7 uses /usr/... cant remember). An easy way to find those files is :
strings /bin/ps|grep /dev
strings /bin/ps|grep /usr
...
beside that, moset rootkits use other trojans to ensure the access. I found suid cgi-scripts, open ports spwaning a shell, a nice ping-back backdoor (you run the trojan with an argument like 666, and when you ping the host with a ping packet sized 666, you get a shell spawned on a port) and all sorts of other trojans. Nowdays, verry common is a ssh daemon which doesent log to syslog or wtmp/utmp, which combined with a LKM, can hide its forked processes, so at ps you dont see the shell of the attacker in the process list (unlike non-lkm rootkits). Beside that, when a cracker takes control of the system, he will make a directory where he puts in his stuff, like a sniffer, a DoS program, and probably other exploits. A very used sniffer was linsniffer (which put the output in tcp.log so `locate tcp.log` would do the job) and now I see t0rns is very used (output = system, so its rather uneffective to `locate system`). You can find also bots, eggdrop and emech are the most used.
Dont know right now any links to rootkits (just query google for lrk4, tornkit and you will find something) but as soon as I'll get home, I'll find something useful to you.