I am trying to make a backup of files that are commonly replaced by rootkits. So far I am including:

ls
ps
find
wget
top
kill
killall
tcpd
syslogd
ifconfig

Any others?

Netstat, lsof, and possibly (ba)sh come to mind.

Edit: Make that possibly *sh.

Another Edit: Ssh too.

grep
pstree
locate
w