I once found a hacker on a large university system who kept a setuid binary in / for his backdoor, except the name had escaping sequences which kept it hidden from the typical shell listing. I found it when poking around, like inquisitive users do. I had compiled zshell, which unlike the default, proprietary shell on the system let me see and manipulate those names. I was giddy when I executed it and was dropped into a root shell.
I notified the sysadmin, who was incredulous at first. Later I found out that the hacker had penetrated many more systems, including many Bell Atlantic servers. Never did find out how he broke in, though in those days there was lots of low hanging fruit to exploit.