[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

strange ftp logs in my httpd error_logs

Posted on 2011-05-11
2
Medium Priority
?
265 Views
Last Modified: 2012-05-11
I am always combing thru logs looking for signs of someone trying to do bad things to our server so I've become pretty familiar with things that look normal and things that don't.  For the first time ever, I saw in /var/log/httpd/error_log, a snippet of it looks like this, with ip addresses and such modified for security purposes:

--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
--2011-05-11 06:13:33--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
           => `c.pdf'
Connecting to 85.17.x.x:21... Connecting to 85.17.x.x:21... Connecting to 85.17.x.x:21... Connecting to 85.17.x.x:21... Connecting to 85.17.x.x: 1... connected.
Logging in as coder ... connected.
Logging in as coder ... connected.
connected.
Logging in as coder ... connected.
Logging in as coder ... Logging in as coder ... Logged in!
==> SYST ... Logged in!
==> SYST ... Logged in!
==> SYST ... Logged in!
==> SYST ... Logged in!
==> SYST ... done.    ==> PWD ... done.    ==> PWD ... done.    ==> PWD ... don .    ==> PWD ... done.    ==> PWD ... done.
==> TYPE I ... done.
==> TYPE I ... done.
==> TYPE I ... done.
==> TYPE I ... done.
==> TYPE I ... done.  ==> CWD /webstat ... done.  ==> CWD /webstat ... done.  = > CWD /webstat ... done.  ==> CWD /webstat ... done.  ==> CWD /webstat ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... done.
==> SIZE c.pdf ... 31658
==> PASV ... 31658
==> PASV ... 31658
==> PASV ... 31658
==> PASV ... 31658
> RETR c.pdf ... done.    ==> RETR c.pdf ... done.    ==> RETR c.pdf ... done.
Length: 31658 (31K)

     0K ..done.
c.pdf has sprung into existence.
Retrying.

done.
done.
c.pdf has sprung into existence.
Retrying.

c.pdf has sprung into existence.
Retrying.

done.
c.pdf has sprung into existence.
Retrying.

........ .......... ..........                      100% 65.0K=0.5s

2011-05-11 06:13:36 (65.0 KB/s) - `c.pdf' saved [31658]

--2011-05-11 06:13:36--  ftp://coder:*password*@85.17.x.x/webstat/c.pdf
  (try: 2) => `c.pdf.1'


there's more, but that's probably enough.  What is this?  It looks to me like someone/something on our server is ftp out of the server to this 85.17.x.x address (it's not really x.x but didn't want to put in the real IP).  What would do this?  Why?  is this something I should worry about?
0
Comment
Question by:mignonnedavis
2 Comments
 
LVL 43

Accepted Solution

by:
ravenpl earned 2000 total points
ID: 35741783
The logs look like 'wget' command output. Probably someone spawns the wget from php/python/perl/etc(non-cgi). code. The stderr from such flies directly to apache's error log.
0
 

Author Closing Comment

by:mignonnedavis
ID: 35785296
Really still not sure why that occured, but hasn't happened since so I'll just hope it was a one time thing
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

As Wikipedia explains 'robots.txt' as -- the robot exclusion standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to prevent cooperating web spiders and other web robots from accessing all or part of a websit…
If you are running a LAMP infrastructure, this little code snippet is very helpful if you are serving lots of HTML, JavaScript and CSS-related information. The mod_deflate module, which is part of the Apache 2.2 application, provides the DEFLATE…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Suggested Courses
Course of the Month18 days, 6 hours left to enroll

831 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question