This morning I got a call from my ISP asking about a "VPN in Michigan" that was causing a large traffic spike. In one morning we uploaded over 6.5 GB (not all that much actually, in my opinion, probably time for a new ISP) which is double what we use on an ordinary day. When I heard 'VPN' I thought it might have something to do with the Sabre ticketing system we use in the office (my.sabre.com) but a call to them seems to have denied this possibility. The internet speed throughout the whole office was crawling early this morning, and our uploading spiked between 8pm last night to 8am this morning. The problem stopped when we asked everyone in the office to shutdown and logout.
Our ISP told us that the data transfer was from our IP (24.207.7.180) to 69.14.91.69 (WideOutWest - another ISP).
At first I thought my computer might have been involved, but it should have been on standby all night. I did find some files that had been modified at 3am, but nothing that corresponds to the upload binge times. I did not find anything suspicious in event viewer.
I would love to know what files left the office this morning - how can I check that? We do run an Active Directory server, Exchange Server. Are there any logs I can consult on our server (and how do I find them)?
