Since yesterday one our our servers (w2k server, exch 2000 sp3) starting transmitting a large amount of data to an ip in Korea. Stopping the smtp service on the server stops the traffic. The messages are coming from one of our users that works at that location and has a mailbox on that server. the users workstation is powered off yet the traffic continues. The server is fully patched and antivirus is up to date. Antivirus software (trend micro) shows no virus activity, but the security vendor seems to think that there is some malicious code running on the server and reccomends a rebuild and exchange store restore from mondays backup. I am not troubleshooting the problem directly.
Does anyone know what might be happening?