Hacked? /usr/share/webmin/apache32.ico.1

I have Ubuntu 12.04 with latest updates running. I found that I had /usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d running a lot so starting digging into it. The file doesn’t exist. When I started grep to find where it was coming from, I had two perl scripts masked as image files:

/usr/share/webmin/apache32.ico.1:my @rps = ("/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d");
/usr/share/webmin/apache.png:my @rps = ("/usr/local/nagios/bin/nrpe -c /usr/local/nagios/etc/nrpe.cfg -d");

Is this a known vulnerability or any idea how I got this?


I just found the announcements on the vulnerability 1.8 fixed. I’m now cleaning up my system.