Root has just been hacked. It seems possible that the hacker got in via the install.php file.
I’m posting this not to create panic, but to warn people of this potential issue. It’s up to you of course, but it’s probably wise to delete both the install.php and upgrade.php files located in your wp-admin directory as a precaution. I’ve already done so myself.
update
More on this issue in the WP support forums.