Routing & Remote Access – VPN

Tags:
DHCP
DNS
Microsoft Windows
Networking
Networking services
Security
VPN
Hello all, I set up a VPN here at the office about 6-12 months ago and everything was working just fine. The other day some wierd stuff happened, It looks to me like a hacker was involved. The firewall had been killed (DOS attack) and some wierd event log enties were found. But anyway we got everything up and running again however now when I go to "Routing and remote access" I cannot see the console tree. In other words, in the Routing management where you can usually see the server and expand the contents under the server and set up all of your settings. I cannot expand the server or set any settings. Sometimes when I try to access the "properties" of the server I get an error stating that I dont have the privelages to access the properties, and that is while being logged in as Administrator. Anyway any insight or help would be appreciated. PS: the VPN is still functioning and I can connect from my house.

Answer Wiki

Thanks. We'll let you know when a new response is added.

When a machine is suspected to have been compromised the wisest course of action is to rebuild the machine either from scratch or from a known state – such as a backup tape from a time known to be safe.

Discuss This Question: 14  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Mks3rd
    I agree that you should unplug that box and rebuild it. There are some cleaning tools available for the registry files but it sounds like it may be easier to rebuild it or restore from a full back up prior to the date of your DOS event.
    0 pointsBadges:
    report
  • Adambeazley
    thanks for your suggestions, however I am not certain that the machine was compromised and rebuilding this machine is not going to happen. This server is the center of our office without the server up 13 people are unemployed untill its up again. Anyway, rebuilding is not an option, so aside from rebuilding can any help me to fix the Routing and remote access console tree? thanks Adam
    0 pointsBadges:
    report
  • ItDefPat1
    The most important this you said so far is you are "not certain" it was hacked. When in doubt, throw it out :) Being as there was an event (DoS?) on firewall, as well as "weird log entries", I would not even trust the system to play solitaire let alone support business operatios for a dozen people. You noted that if server down, everyone unemployed. what if the data is (a) destroyed or (b) sent to your competitors? (polish that resume buddy). If down time is not an option, can you buy/borrow/steal a (nearly) comparable machine if only temporary? REBUILD. Get the RedBull/MountainDew/Coffee, and get it rebuilt. Hire a consultant if you need manpower. Having a potentially compromised system is really scary. BTW, what is the VPN for? Partner access? employee remote access? your VPN tunnel could be used to securely distribute virus/worm/trojan/spy/keylogger, etc. Sorry to go on and on, but this is bad, REAL BAD. Have you checked the privileges of the Administrator accounts? You said you logged in as admin but were denied access. Are you sure that an account wasn't renamed to be "administrator" without God rights? is this getting creepy yet? Any new accounts created on server? have you reviewed the server logs? (also, are we talking about events on separate firewall and file server boxes?) Thats all the bad stuff I could think about from what I remember you writing. Let me look again and see if it gets any worse (it probably will - it never gets better). IT Def Patrol
    15 pointsBadges:
    report
  • Mks3rd
    Have you done a search on microsoft.com/technet? it is the place for back office stuff. But you still might think about gettin the Dew out and rebuilding it. Or if it is a PDC build a BDC from scratch then promote it. Then recreate the files you have to have on the newer server. Or heck see if you can lease a box or consultants help...
    0 pointsBadges:
    report
  • Ursulus
    I agree.. a rebuild is essential as soon as possible. I realise this is not an immediate or short term option but you need to change EVERY user password on that box YESTERDAY! Check for any new services and check the Registry for stuff that executes on Startup. If in doubt, search the exe name in google. Good luck...
    0 pointsBadges:
    report
  • Dalibor
    Hello! Have You some backup server? Something like spare server? You cold put your data from backup onto that spare machine and then rebuild main server. Is your server on Win2K or WinXP? You can check running processes with some tool like Startup Mechanic 2.4 (www.startupmechanic.com), there have good diagnostics and advices for known and unknown services - processes. Regards, Dalibor
    10 pointsBadges:
    report
  • Dalibor
    Sorry, I mix up some replays (in my mind) :) This thing with Startup Mechanic goes for your and other PC-s if you suspect in infection with some viruses or other things. It will be wisely to check your PC at home.
    10 pointsBadges:
    report
  • TedRizzi
    Most likely your machine was or still is infected with a virus.. We had a machine infected with the RBot virus that behaved like that, even after the virus was removed, the machine continued to behave strangely,, the damage is done, and cannot be repaired fully, the best course of action would be rebuilding the machine, I would replace the harddrive as well, you never know what was left on it, even formatting it may not clean off everything.
    0 pointsBadges:
    report
  • Aftabn
    stop the Routing and Remote Admin service and then uninstall it. Kill the process if you have to. Remove the TCP/IP protocol then restart the machine. reinstall the protocol and then restart again. install Routing and Remote Admin. Another thing that you might want to do is go to www.pandasoftware.com and do a complete online scan.
    0 pointsBadges:
    report
  • Anannymouse
    Hello Adam, You have been given the best advice already, rebuild, but let me explain why it is required. First, let?s assume you have performed anti-virus/spyware/trojan/rootkit scans using your favorite 3 tools for each job and that you have searched TechNet and Google (or other favorite search engine) and found nothing helpful. Let?s also assume that, since you are asking here, you have exhausted your expertise with the system. Congratulations, you have done your best and have displayed one of the primary signs of wisdom - asking for help when you need it. Based on your description of the situation your system is either 0wned, infected or damaged to a point you are unable to fix it, remediate any threat it may pose or trust it as a stable and secure business platform. If your business deals with anything but 100% public information (think companies private financial records, customer list, etc.) then you need to regain trust, security and stability of your server. The only way to be sure of this is to rebuild. Now, I understand that this means people will not be working during the rebuild but the server can be taken down after working hours. If you are a 7/24/365 shop then you will need to select a slow time to take the server down. May I also suggest creation of a service level agreement with the business that allows for regular maintenance and emergency servicing of the server? If possible you should look into a second device to serve as a backup to the main server (even if only temporarily). Rebuilding the server should not take that long (obviously this will depend on your skill level and the tweaking required) then you can restore from a known good (and clean) backup. To make this faster in the future you could look into purchasing a ghost like product and produce an image of your server that can be quickly staged. So to recap: You have asked for help/advise - take it. If security, reliability or stability are important to you you must rebuild. Minimize the impact to your users by doing the work after hours or during a slow period. If possible create an image of the clean server to make this process faster if/when you need to do it again. If possible have a back-up server on hand or accessible. Learn from your situation. Develop a response plan to this sort of situation because it will happen again. Develop a process for allowing the server to be down for short periods in the event it is required. I would also suggest an external security review of your installation. If it was a hacker or virus/worm and you us the exact same set-up as before they will get in just like before. Good luck and let us know how it goes. A.
    0 pointsBadges:
    report
  • ItDefPat1
    All good info. Note that even Fdisk may not clear everything off drive. There are "wipe" products that will do a combination of reformat/overwrite/repeat to be sure its clean (manually, you could fdisk/format around 7 times to be safe). Like others have suggested, check all accounts, all systems' registry, etc. Look for new installed applications and system processes. There are a lot of free tools that will assist with this. (Unless you have Norton or similar). Another suggestion, to get you through all the rebuild - rolling rebuilds. Take system #1 from a user, duplicate new system #2. You now have an original system #2; wipe and rebuild sys #3, which leaves #3 spare. Wipe #3, and so on as needed. You could donate your desktop to be the new file server to start (you won't be checking your email for a while anyways). Of course, I don't know what is in each of the systems, so you might have to shuffle some hard drives and memory if needed. Also, get all antivirus updates: full scan everything. If you don't have anti-spy, get free downloads. There are several good ones. I keep hearing recomendations to use more than one - I agree - use two or more to scan each system. (Installing all this is a temporary fix to keep your office working until you can rebuild - scan the living daylights out of any system until it is rebuilt. Scan, scan, scan.) The point as we have all said is that at this point you can't trust any of your systems. Unfortunately, you are probably 0wn3d at this point.
    15 pointsBadges:
    report
  • Bobkberg
    All good advice above. Take it. However - I get the feeling that you're feeling squeezed in terms of available resources - like another server... If that's the case, see if your management will spring for a new hard disk, and then you can do your rebuild on the new disk (WITH THE ORIGINAL DISCONNECTED) after hours. Once you have done an evening's work, power off, and put back the original disk for the next day's production. In the evening, swap back again until your rebuild is complete. Not ideal perhaps, but this approach allows you to proceed with the required rebuild while not interfering (much) with the daily production needs. Bob
    1,070 pointsBadges:
    report
  • Adambeazley
    Great minds think alike, but your comments take our issue to a deeper level. Can you please explain more of what you mean by
    0 pointsBadges:
    report
  • Genderhayes
    Your RRAS server is behind a perimeter firewall, or is running a host-based firewall such as Windows Firewall with advanced security, then configure the required firewall rules to permit virtual private network (VPN) network traffic through the firewall to the RRAS server
    7,440 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following