Hacked or not ?

Fri May 21 12:52:50 PDT 2004

Hi, 

I have a 4.9-STABLE FreeBSD box apparently hacked!
Yesterday I ran chkrootkit-0.41 and I don't like some of the outputs. 
Those are:
chfn     ... INFECTED
chsh    ... INFECTED
date     ... INFECTED
ls         ... INFECTED
ps        ... INFECTED

But all the rest is NOT PROMISC, NOT INFECTED, NOTHING FOUND, NOTHING DELETED, or NOTHING DETECTED.
I know by the FreeBSD-Security archives that chkrootkit isn't perfect with FreeBSD versions 5.x
But I'm not in that case. So I'm a little bit afraid and as a newbie I don't really know what to do....
I tried "truss ls" to find something strange and here are the outputs with something... suspicious for me:

ioctl(1,TIOCGETA,0xbfbff534)                        = 0 (0x0)
ioctl(1,TIOCGWINSZ,0xbfbff5a8)                    = 0 (0x0)
getuid()                                                        = 0 (0x0)
readlink("etc/malloc.conf",0xbfbff490,63)        ERR#2 'No such file or directory'         #SUSPICIOUS
mmap(0x0,4096,0x3,0x1002,-1,0x0)              = 671666176 (0x2808d000)
break(0x809b000)                                        = 0 (0x0)
break(0x809c000)                                        = 0 (0x0)
break(0x809d000)                                        = 0 (0x0)
break(0x809e000)                                        = 0 (0x0)
...........................................................................................and so on!

And if I am an intrusion victim.... what can I do ? How can I restore those files? and how can I find out how this cracker did to break my firewall? I mean where is the security hole?
PS: After verification on other commands declared not infected I found out this ERR#2 is common.... maybe I have another problem here!

Thanks everyone!
razor.