Re: Re: Increased activity on port 110

Yes, I'm seeing it too only on our Windows dedicated server farm. It appears to 
be related to MailEnable (Ensim/Plesk Customers). How they are getting infected 
I'm not sure yet. Possibly via servers with unpatched MailEnable. "rdriv.sys" 
gets installed in the "Windows\system32" folder.

Systems that got infected were also attempting to connect too 
x.x.x.x.01032-062.023.175.071.00081: PONG irc.hosted1.net which no longer 
appears up. 

-------------------------------------------------------------------------
This list sponsored by: SPI Dynamics

ALERT: "How a Hacker Launches a SQL Injection Attack!"- 
SPI Dynamics White Paper 
It's as simple as placing additional SQL commands into a Web Form input 
box giving hackers complete access to all your backend systems! 
Firewalls and IDS will not stop such attacks because SQL Injections are 
NOT seen as intruders. Download this *FREE* white paper from SPI Dynamics 
for a complete guide to protection! 

https://download.spidynamics.com/1/ad/sql.asp?Campaign_ID=70160000000CiNE
--------------------------------------------------------------------------