id	summary	reporter	owner	description	type	status	priority	milestone	component	version	resolution	keywords	cc	uname	nginx_version
517	nginx executable hacked	sasha1111 1111		"I've found out nginx 1.4.5 on one server behaves badly: 
it dumps some of the POST requests going through into a file it stores in 
/tmp/.ICE-unix/.<something> 

There is no evidence that server has been hacked: no IDS alerts and all files integrity is intact, except nginx binary differs from that in 1.4.5 package. I assume binary has been infected with a backdoor. Unfortunately my knowledge is not enough to properly identify whats happened. 

Here's a piece of strace dump where bad things happen:
open(""/tmp/.ICE-unix/.1"", O_RDONLY) = 18
close(18)                         = 0
open(""/tmp/.ICE-unix/.a0df08f45"", O_WRONLY|O_CREAT|O_APPEND, 0666) = 18
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80a445c000
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
lseek(18, 6399016, SEEK_SET)      = 6399016
write(18, ""YToyODp7czo0OiJsYW5nIjtzOjI6ImRl""..., 1222) = 1222
close(18)                         = 0

"	defect	closed	minor	1.4.5	nginx-core	1.4.x	invalid			3.2.0-4-amd64 #1 SMP Debian 3.2.51-1 x86_64 GNU/Linux	1.4.5