Yesterday I helped my friend kargig to analyse a rootkit he has recovered from a compromised Linux system. You can find the complete write-up at his blog.