I have never removed rootkits, so i do not know. Best practice is to prevent rootkits and other malware from entering the host. If it has been established that the host has rootkit, I would say best way to deal with it is to copy data from that host, verify the data does not contain malwares, install a new host from known good media and restore the data. If a host has a rootkit, it is very hard to know when it has been removed completely. If the above does not help, enter Code: best practices when removing rootkits from a linux to Internet Search Engines.
Here is also a preventive tool: https://aide.github.io/ AIDE (Advanced Intrusion Detection Environment) is a file and directory integrity checker. It checks system integrity by hash.
