The first thing I tried to do was use RPM to verify the system but as
neither /bin/rpm or /var existed that attempt failed.

I have a backup of my system burnt to CD so I can run:
rpm -Va --dbpath /mnt/cdrom/var/lib/rpm

At this point the thought occured to me that maybe (even though the
filesystem layout suggested it was) this wasn't a RedHat system but:
cat etc/redhat-release
revealed it was:
Red Hat Linux release 6.2 (Zoot)

At this point I had a quick look at the RedHat website to see what
exploitable files were potentially installed by default.

A quick search on google also identified some files I may potentially
be looking for:
http://www.blueriver.net/~jlgaddis/shitc.tgz

A quick look at the filesystem showed a few sus file dates:
/bin/netstat
/bin/ps
/sbin/ifconfig

Further investigation showed an unusual command at the end of
rc.sysinit:
/usr/bin/lsattr -t1 -X53 -p
Notably the arguments did not match what I'd expect for that command.

Services that were presumably running (runlevel 3):
kudzu    
portmap  
apmd    
netfs   
identd  
crond   
inet 
keytable  
gpm    
xfs        
local
network  
nfslock  
random  
syslog  
atd     
pcmcia  
lpd 
sendmail  
httpd  
linuxconf

Also of note was that inetd.conf has most services closed off.

Next I tried using TCT to see what I could recover:
bin/unrm /home/user/security/honeynet/honeypot.hda8.dd > unrm_output
and
bin/lazarus -h unrm_output

grep root block/*.txt

This returned a number of files so I narrowed it down.

grep -i rootkit blocks/*
Binary file blocks/8499.p.txt matches

They used the word rootkit in their shell file!  :)

An afterthought was that searching for "unset" or "#!\" may have been
a better option as a typical rootkit script would want to unset
certain variables.

I searched google (both web and usenet) for many of the words mentioned
in the file.  No luck there.

I identified words that needed translating and put them in a file.

I found a file 9.z.txt that appeared to be a damaged version of the rootkit.

I identified what files comprised the rootkit and placed them in a file.

Initial thoughts:
Modified version of Torn Kit?
http://www.cert.org/incident_notes/IN-2000-10.html
http://packetstorm.securify.com/UNIX/penetration/rootkits/

Decided to grep for a word that went in the email to find that file:
grep Satiru blocks/*
Binary file blocks/84383.m.txt matches
Binary file blocks/8499.p.txt matches

Took a break.  I'd spent about 2hrs to this point and it was time to go
home anyway.

Decided I'd rework these notes in a neater form with further details and submit this raw form as an attachment for anyone that might want to read it.