Comments on: Routing & Remote Access – VPN

By: Casey Lira

Casey Lira — Thu, 04 Feb 2010 16:24:22 +0000

Great minds think alike, but your comments take our issue to a deeper level. Can you please explain more of what you mean by

By: bobkberg

bobkberg — Tue, 05 Jul 2005 11:56:05 +0000

All good advice above. Take it.

However – I get the feeling that you’re feeling squeezed in terms of available resources – like another server…

If that’s the case, see if your management will spring for a new hard disk, and then you can do your rebuild on the new disk (WITH THE ORIGINAL DISCONNECTED) after hours. Once you have done an evening’s work, power off, and put back the original disk for the next day’s production.

In the evening, swap back again until your rebuild is complete.

Not ideal perhaps, but this approach allows you to proceed with the required rebuild while not interfering (much) with the daily production needs.

Bob

By: itdefpat1

itdefpat1 — Wed, 29 Jun 2005 08:27:53 +0000

All good info. Note that even Fdisk may not clear everything off drive. There are “wipe” products that will do a combination of reformat/overwrite/repeat to be sure its clean (manually, you could fdisk/format around 7 times to be safe).

Like others have suggested, check all accounts, all systems’ registry, etc. Look for new installed applications and system processes. There are a lot of free tools that will assist with this. (Unless you have Norton or similar).

Another suggestion, to get you through all the rebuild – rolling rebuilds. Take system #1 from a user, duplicate new system #2. You now have an original system #2; wipe and rebuild sys #3, which leaves #3 spare. Wipe #3, and so on as needed. You could donate your desktop to be the new file server to start (you won’t be checking your email for a while anyways). Of course, I don’t know what is in each of the systems, so you might have to shuffle some hard drives and memory if needed.

Also, get all antivirus updates: full scan everything. If you don’t have anti-spy, get free downloads. There are several good ones. I keep hearing recomendations to use more than one – I agree – use two or more to scan each system. (Installing all this is a temporary fix to keep your office working until you can rebuild – scan the living daylights out of any system until it is rebuilt. Scan, scan, scan.)

The point as we have all said is that at this point you can’t trust any of your systems. Unfortunately, you are probably 0wn3d at this point.

By: anannymouse

anannymouse — Wed, 29 Jun 2005 08:23:27 +0000

Hello Adam,

You have been given the best advice already, rebuild, but let me explain why it is required.

First, let?s assume you have performed anti-virus/spyware/trojan/rootkit scans using your favorite 3 tools for each job and that you have searched TechNet and Google (or other favorite search engine) and found nothing helpful. Let?s also assume that, since you are asking here, you have exhausted your expertise with the system. Congratulations, you have done your best and have displayed one of the primary signs of wisdom – asking for help when you need it.

Based on your description of the situation your system is either 0wned, infected or damaged to a point you are unable to fix it, remediate any threat it may pose or trust it as a stable and secure business platform. If your business deals with anything but 100% public information (think companies private financial records, customer list, etc.) then you need to regain trust, security and stability of your server. The only way to be sure of this is to rebuild.

Now, I understand that this means people will not be working during the rebuild but the server can be taken down after working hours. If you are a 7/24/365 shop then you will need to select a slow time to take the server down. May I also suggest creation of a service level agreement with the business that allows for regular maintenance and emergency servicing of the server? If possible you should look into a second device to serve as a backup to the main server (even if only temporarily).

Rebuilding the server should not take that long (obviously this will depend on your skill level and the tweaking required) then you can restore from a known good (and clean) backup. To make this faster in the future you could look into purchasing a ghost like product and produce an image of your server that can be quickly staged.

So to recap:
You have asked for help/advise – take it.
If security, reliability or stability are important to you you must rebuild.
Minimize the impact to your users by doing the work after hours or during a slow period.
If possible create an image of the clean server to make this process faster if/when you need to do it again.
If possible have a back-up server on hand or accessible.
Learn from your situation. Develop a response plan to this sort of situation because it will happen again. Develop a process for allowing the server to be down for short periods in the event it is required.

I would also suggest an external security review of your installation. If it was a hacker or virus/worm and you us the exact same set-up as before they will get in just like before.

Good luck and let us know how it goes.

By: aftabn

aftabn — Wed, 29 Jun 2005 08:18:42 +0000

stop the Routing and Remote Admin service and then uninstall it. Kill the process if you have to. Remove the TCP/IP protocol then restart the machine. reinstall the protocol and then restart again. install Routing and Remote Admin.
Another thing that you might want to do is go to http://www.pandasoftware.com and do a complete online scan.

By: tedrizzi

tedrizzi — Wed, 29 Jun 2005 07:28:39 +0000

Most likely your machine was or still is infected with a virus.. We had a machine infected with the RBot virus that behaved like that, even after the virus was removed, the machine continued to behave strangely,, the damage is done, and cannot be repaired fully, the best course of action would be rebuilding the machine, I would replace the harddrive as well, you never know what was left on it, even formatting it may not clean off everything.

By: dalibor

dalibor — Wed, 29 Jun 2005 05:59:05 +0000

Sorry, I mix up some replays (in my mind)
This thing with Startup Mechanic goes for your and other PC-s if you suspect in infection with some viruses or other things. It will be wisely to check your PC at home.

By: dalibor

dalibor — Wed, 29 Jun 2005 05:40:47 +0000

Hello!
Have You some backup server? Something like spare server?
You cold put your data from backup onto that spare machine and then rebuild main server.
Is your server on Win2K or WinXP?
You can check running processes with some tool like Startup Mechanic 2.4 (www.startupmechanic.com), there have good diagnostics and advices for known and unknown services – processes.

Regards,
Dalibor

By: ursulus

ursulus — Wed, 29 Jun 2005 04:40:40 +0000

I agree.. a rebuild is essential as soon as possible.

I realise this is not an immediate or short term option but you need to change EVERY user password on that box YESTERDAY!

Check for any new services and check the Registry for stuff that executes on Startup. If in doubt, search the exe name in google.

Good luck…

By: mks3rd

mks3rd — Tue, 28 Jun 2005 16:53:43 +0000

Have you done a search on microsoft.com/technet? it is the place for back office stuff. But you still might think about gettin the Dew out and rebuilding it. Or if it is a PDC build a BDC from scratch then promote it. Then recreate the files you have to have on the newer server. Or heck see if you can lease a box or consultants help…