One of our servers took took more than 300Gb of traffic in less than a few days when the issue was first detected on 27-Sep. There was a unusual spike in outgoing traffic and on investigation, we found a few suspicious files in the windows system32 directory. We attempted to terminate the processes and the files the traffic immediately dropped from between 20-30Mbps to less than 2Mbps. However the frusrating thing is that these files kept reappearing and as soon as the processes are running, the traffic will then surge right back. Opened a ticket with SM and the techs were really helpful in offering some suggestions and turning on the Cisco Flood Guard. From what is known then, it could be due to a vulnerability with the Windows DCOM service. However we were puzzled as the server was patched right up to the day where it all began.

Some of the suspicious files were:
oakley.exe
lmass.exe
temp.bat

Registry:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun]
"Windows DLL Loader"="C:WINNToakley.exe"

In the end, managed to nail the bugger to a recently published remote buffer overflow vulnerabiliy with the Mailenable Pro IMAP service. So if any of your Windows servers with Mailenable Pro is suddenly taking a huge surge in the bandwidth usage, go get the latest IMAP hotfix from Mailenable at http://www.mailenable.com/rss/article.asp?...7C27409B29CE492 before this

Hope this will at least spare some of you guys the sleepless nights that I had over the past week.