You should just order this book imho.
http://www.amazon.com/Rootkit-Arsenal-Escape-Evasion-Corners/dp/1598220616/ref=sr_1_2?ie=UTF8&qid=1303542136&sr=8-2
Its more recent, covers more techniques and is extremely in depth and it has all the sourcecode in the back of the book.
Well after the resurgence and killing off that new user that had been created, I realized some folders on the server had been chmod to 777 recently, so I set those down to 755 and also changed some that were 775 to 755, though being careful to check the apps were still cool. It's been about 8 hours and I haven't seen anything since, though I'm going to be doing some forensic analysis on the server glad I bought this book a while back I'm going to respond a little more below. (Oh and sorry forgot the password to the sockpuppet account I made earlier)