nginx executable hacked

[sasha1111 1111]

I've found out nginx 1.4.5 on one server behaves badly:
it dumps some of the POST requests going through into a file it stores in
/tmp/.ICE-unix/.<something>

There is no evidence that server has been hacked: no IDS alerts and all files integrity is intact, except nginx binary differs from that in 1.4.5 package. I assume binary has been infected with a backdoor. Unfortunately my knowledge is not enough to properly identify whats happened.

Here's a piece of strace dump where bad things happen:
open("/tmp/.ICE-unix/.1", O_RDONLY) = 18
close(18) = 0
open("/tmp/.ICE-unix/.a0df08f45", O_WRONLY|O_CREAT|O_APPEND, 0666) = 18
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f80a445c000
fstat(18, {st_mode=S_IFREG|0666, st_size=6399016, ...}) = 0
lseek(18, 6399016, SEEK_SET) = 6399016
write(18, "YToyODp7czo0OiJsYW5nIjtzOjI6ImRl"..., 1222) = 1222
close(18) = 0

[sasha1111 1111]

Trac failed to attach binary to this ticket. Here it is on my gdrive.
​https://drive.google.com/file/d/0B8Udrj1wuVjiOU1jTUJMVlBzS2c/edit?usp=sharing

[sasha1111 1111]

Btw lsof shows that nginx keeps /tmp/.ICE-unix/.1 file opened:

nginx 29590 www-data 17r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 18r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 19r REG 253,7 1 97540 /tmp/.ICE-unix/.1
nginx 29590 www-data 20r REG 253,7 1 97540 /tmp/.ICE-unix/.1

[sasha1111 1111]

nginx 1.4.5 was installed from dotdeb debian repo

[Maxim Dounin]

This doesn't looks like a problem in nginx. It looks like your server was compromised somehow, and the nginx binary was replaced. See, e.g., the ​How do I deal with a compromised server? question on serverfault.com for some basic description on how to deal with compromised servers.