Could be the "tux" or "optic" rootkit. Unfortunately
chkrootkit doesn't recognize these yet, and so you're definately in limbo here, I don't have string samples for you to check for positive match, but messages on the securityfocus list mention the binaries are pointing to a dir /dev/tux. If it's there, wtmp has been deleted, /var/log/messages is scrubbed for connection entries, and you've got files like /usr/bin/xchk and /usr/bin/xsf I'd say it's a positive match.
Soz, but I can't break the news any other way. Disconnect the box from the net, save your *human readable data* (NO BINARIES), wipe the partition(s) clean and reinstall.
Head over to cert.org and sans.org for the *nix security checklist and "best practices" docs, over to linuxdoc.org for "Optimizing Securing Linux", add a file integrity checker like Aide, Tripwire or Samhain, install intrusion detection capability like Snort, tighten your firewall rules. Go back to cert.org and sans.org, read up on the docs again and come back to answer more questions, it's what we're here for.
Good luck!