strange ftp logs in my httpd error_logs

I am always combing thru logs looking for signs of someone trying to do bad things to our server so I've become pretty familiar with things that look normal and things that don't.  For the first time ever, I saw in /var/log/httpd/error_log, a snippet of it looks like this, with ip addresses and such modified for security purposes:

--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
Connecting to 85.17.x.x:21... Connecting to 85.17.x.x:21... Connecting to 85.17.x.x:21... Connecting to 85.17.x.x:21... Connecting to 85.17.x.x: 1... connected.
Logging in as coder ... connected.
Logging in as coder ... connected.
connected.
Logging in as coder ... connected.
Logging in as coder ... Logging in as coder ... Logged in!
==> SYST ... Logged in!
==> SYST ... Logged in!
==> SYST ... Logged in!
==> SYST ... Logged in!
==> SYST ... done.    ==> PWD ... done.    ==> PWD ... done.    ==> PWD ... don .    ==> PWD ... done.    ==> PWD ... done.
==> TYPE I ... done.
==> TYPE I ... done.
==> TYPE I ... done.
==> TYPE I ... done.
==> TYPE I ... done.  ==> CWD /webstat ... done.  ==> CWD /webstat ... done.  = > CWD /webstat ... done.  ==> CWD /webstat ... done.  ==> CWD /webstat ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... 31658
==> PASV ... 31658
==> PASV ... 31658
==> PASV ... 31658
==> PASV ... 31658
> RETR c.pdf ... done.    ==> RETR c.pdf ... done.    ==> RETR c.pdf ... done.
Length: 31658 (31K)

     0K ..done.
c.pdf has sprung into existence.
Retrying.

done.
done.
c.pdf has sprung into existence.
Retrying.

c.pdf has sprung into existence.
Retrying.

done.
c.pdf has sprung into existence.
Retrying.

........ .......... ..........                      100% 65.0K=0.5s

2011-05-11 06:13:36 (65.0 KB/s) - `c.pdf' saved [31658]

--2011-05-11 06:13:36--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
  (try: 2) => `c.pdf.1'


there's more, but that's probably enough.  What is this?  It looks to me like someone/something on our server is ftp out of the server to this 85.17.x.x address (it's not really x.x but didn't want to put in the real IP).  What would do this?  Why?  is this something I should worry about?
mignonnedavisAsked:
Who is Participating?
 
ravenplCommented:
The logs look like 'wget' command output. Probably someone spawns the wget from php/python/perl/etc(non-cgi). code. The stderr from such flies directly to apache's error log.
0
 
mignonnedavisAuthor Commented:
Really still not sure why that occured, but hasn't happened since so I'll just hope it was a one time thing
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.