Learn how to repair a VPN's Routing and Remote Access console after the network has been compromised by a DoS attack.
Q: From adambeazley, "I set up a VPN at my office approximately 6-12 months ago and everything worked fine. The other day something happened. I'm not certain, but it seems as though I was hacked. The
firewall had been killed (denial-of-service attack) and I found several unknown event log entities. Everything is up and running again. However, now when I go to the Routing and Remote Access console, I cannot see the tree, expand the server or arrange settings. Also, from time to time, when I try to access the properties of the server I receive an error message stating that I don't have the privileges to access the properties, even though I am logged in as the Administrator. Rebuilding it is not an option. Is there anything I can do to fix the Routing and Remote Access console tree?"
A: From mks3rd, "There are some cleaning tools available for the registry files, but it sounds like it may be easier to rebuild it or restore from a full back up prior to the date of your DoS event. Have you done a search on microsoft.com/technet? It is the place for Back Office tools. But you should still think about rebuilding it. Or, if it is a PDC, build a BDC from scratch then promote it. Then recreate the files you have to have on the newer server. Or, see if you can lease a box or consultant's help."
A: From aftabn, "Stop the Routing and Remote Admin service and uninstall it. Kill the process if you have to. Remove the TCP/IP protocol then restart the machine. Reinstall the protocol and then restart again. Install Routing and Remote Admin. You may want to go to www.pandasoftware.com and do a complete online scan."
A: From ItDefPat1, "Here's what I suggest:
- Check all accounts, all systems' registry, etc.
- Look for new installed applications and system processes.There are a lot of free tools that will assist with this. (Unless you have Norton or similar).
- Consider rolling rebuilds. Take system No. 1 from a user, duplicate new system No. 2. You now have an original system No. 2; wipe and rebuild sys No. 3, which leaves No. 3 spare. Wipe No. 3, and so on as needed. You could donate your desktop to be the new file server to start. Seeing that I don't know what is in each of the systems, you may have to shuffle some hard drives and memory if needed.
- Get all antivirus updates. Scan everything. If you don't have antispyware, get free downloads. There are several good ones. You should use two or more to scan each system. (Please note: this option is only a temporary fix; it will allow you to keep your office up and running until you can rebuild your server.)"
A: From bobkberg, " I get the feeling that you're feeling squeezed in terms of available resources -- like another server. If that's the case, see if your management will spring for a new hard disk, and then you can do your rebuild on the new disk (WITH THE ORIGINAL DISCONNECTED) after hours. Once you have done an evening's work, power off and put back the original disk for the next day's production. In the evening, swap back again until your rebuild is complete. Not ideal perhaps, but this approach allows you to proceed with the required rebuild while not interfering (much) with the daily production needs."
This question and answer thread was originally posted in the ITKnowledge Exchange forum.
Join your peers today and start receiving valuable answers to your toughest information security questions. Or network with your peers to exchange technical advice and strategic ideas on security topics. Visit the ITKnowledge Exchange.
This was first published in July 2005