How to repair a compromised VPN

Learn how to repair a VPN's Routing and Remote Access console after the network has been compromised by a DoS attack.

Q: From adambeazley, "I set up a VPN at my office approximately 6-12 months ago and everything worked fine. The other day something happened. I'm not certain, but it seems as though I was hacked. The

    Requires Free Membership to View

firewall had been killed (denial-of-service attack) and I found several unknown event log entities. Everything is up and running again. However, now when I go to the Routing and Remote Access console, I cannot see the tree, expand the server or arrange settings. Also, from time to time, when I try to access the properties of the server I receive an error message stating that I don't have the privileges to access the properties, even though I am logged in as the Administrator. Rebuilding it is not an option. Is there anything I can do to fix the Routing and Remote Access console tree?"

A: From mks3rd, "There are some cleaning tools available for the registry files, but it sounds like it may be easier to rebuild it or restore from a full back up prior to the date of your DoS event. Have you done a search on microsoft.com/technet? It is the place for Back Office tools. But you should still think about rebuilding it. Or, if it is a PDC, build a BDC from scratch then promote it. Then recreate the files you have to have on the newer server. Or, see if you can lease a box or consultant's help."

Security Seven Awards
TechTarget's Information Security magazine, SearchSecurity.com and Information Security Decisions have created the Security Seven Awards to recognize the achievements of leading information security practitioners in seven vertical industries. Winners will be chosen from the financial services, telecommunications, manufacturing, energy, government, education and health care industries. To nominate an individual for the Security Seven Awards, please complete the form and return it to securityseven@infosecuritymag.com by Aug. 1, 2005.

A: From aftabn, "Stop the Routing and Remote Admin service and uninstall it. Kill the process if you have to. Remove the TCP/IP protocol then restart the machine. Reinstall the protocol and then restart again. Install Routing and Remote Admin. You may want to go to www.pandasoftware.com and do a complete online scan."

A: From ItDefPat1, "Here's what I suggest:

  1. Check all accounts, all systems' registry, etc.
  2. Look for new installed applications and system processes.There are a lot of free tools that will assist with this. (Unless you have Norton or similar).
  3. Consider rolling rebuilds. Take system No. 1 from a user, duplicate new system No. 2. You now have an original system No. 2; wipe and rebuild sys No. 3, which leaves No. 3 spare. Wipe No. 3, and so on as needed. You could donate your desktop to be the new file server to start. Seeing that I don't know what is in each of the systems, you may have to shuffle some hard drives and memory if needed.
  4. Get all antivirus updates. Scan everything. If you don't have antispyware, get free downloads. There are several good ones. You should use two or more to scan each system. (Please note: this option is only a temporary fix; it will allow you to keep your office up and running until you can rebuild your server.)"

A: From bobkberg, " I get the feeling that you're feeling squeezed in terms of available resources -- like another server. If that's the case, see if your management will spring for a new hard disk, and then you can do your rebuild on the new disk (WITH THE ORIGINAL DISCONNECTED) after hours. Once you have done an evening's work, power off and put back the original disk for the next day's production. In the evening, swap back again until your rebuild is complete. Not ideal perhaps, but this approach allows you to proceed with the required rebuild while not interfering (much) with the daily production needs."


Discover five ways to harden the network infrastructure and protect data in the event that the network perimeter fails.

Learn how to ward off hackers with this resource guide

This question and answer thread was originally posted in the ITKnowledge Exchange forum.

Join your peers today and start receiving valuable answers to your toughest information security questions. Or network with your peers to exchange technical advice and strategic ideas on security topics. Visit the ITKnowledge Exchange.

This was first published in July 2005

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.