Is my system compromised? I got message about ntoskrnl.exe

I am not sure this question belongs her or not but let me try.

When I get to office this morning One of my colligues had a problem with his laptop and told me he had trouble restarting it and when he finally does he got the follwoing message and it says everything was coming from my IP(laptop)

Application has changed since the last time you opened it, process id: 0
Filename: C:\Windows\system32\ntoskrnl.exe
The change was denied by user.
---- Modules changed: 1 ----
C:\Windows\system32\ntoskrnl.exe
---- New modules: 0 ----

The only change I made to my laptop is I turn on XP_cmdshell yesterday since i was not able to run some T-SQL script. I dont know whetehr it is related or not.

I am on win xp sp3, and SQL server 2008

Please help me understand if my system is compromised and this is a problem at all.

Thanks,

UPDATE: I run Antivirus and it comes clean!

DaniSQL

Posted 2010-03-04T15:35:55.240

Reputation: 131

Answers

Can you run the System File Checker on your system? At a command prompt type sfc/runnow and be sure to have your Windows XP disk handy.

Dave M

Posted 2010-03-04T15:35:55.240

Reputation: 12 811

Thanks Dave. I am running anti virus now. Can i simultaneously run system file checker? – DaniSQL – 2010-03-04T16:21:51.787

I would not run the file checker at teh same time – Dave M – 2010-03-04T16:32:43.017

I have run sfc /scannow and everything is fine. – DaniSQL – 2010-03-04T17:32:57.607

does that mean I am fine and can take my laptop online now? – DaniSQL – 2010-03-04T17:48:12.723

If everything is coming up clean...see my comments in my answer below. I am really suspecting it's an issue with Symantec. – Bart Silverstrim – 2010-03-04T17:52:55.770

Sorry guys, I screwd up. I was diagnosing the wrong machine all day. The IP that was mentioned on symantec report back trace information was my desktop IP not my laptop. I run AV on both of them and it comes clean, but I didnt took my desktop offline this morning. I only took ofline my laptop and run system file checker. Now I run the system file checker on my desktop and it asks me to insert the CD, which I did. It just finished I get no message. What is the implication? SFC asks for winxp, does that mean my system is compromised? N.B. Xp_cmdshell was also turned on yesterday on the desktop. – DaniSQL – 2010-03-04T23:07:15.787

I would think it depends on what your script does, for one.

To see if your system was infected with something, I'd start scanning it with updated antivirus definitions of your favorite scanner as well as ad-aware and spybot search-and-destroy. You can also run process explorer to test and see if there's unusual processes running in the background and autoruns (both of these are part of Sysinternals, google for the free download).

If you're handy with Linux, you can set up a system or VM to intercept your laptop's network traffic (or have a mirrored port on the switch) monitor outgoing network traffic from your laptop to look for suspicious activity, and check logs of other machines on your network to see if your computer is trying to access files or copy things to other places without permission. If you're an admin user on the network there's really no telling how far malware could have gotten through the hidden system shares and other shares you have legitimate access to. Have servers updated with new virus definitions and have them do a scan as well.

If nothing really stands out after checking your own system you could also run a chkdsk on your colleagues computer, just to check and see if for some reason there's corruption, but you said that this is logged somewhere that had your system's IP showing up...so that is rather odd.

Run as much of the checks offline as soon as possible. You need to be online long enough to get updates and latest signatures and it sounds like if there's an infection, the damage was done already, but as soon as you can, get your laptop offline to check for infections and cleanup.

This link seems to have some good information on spyware removal.

Bart Silverstrim

Posted 2010-03-04T15:35:55.240

Reputation: 1 755

Thank you. My antivirus is uptodate and I am already running symantec antivirus to see if there is anything going on. Also i already took out the laptop offline. The script I run is just a simple script that is used to automate database server monitoring. It checks if all the jobs on sql server run successful or failed, how much diskspace I have left on each disk and stuff like that and email it to me. I got it from sql server central (http://www.sqlservercentral.com/articles/Automating+SQL+Server+Health+Checks/68910/)

– DaniSQL – 2010-03-04T16:18:30.263

....So before I run it on my servers I tested out on my laptop and it was not successful. it asks me to turn on xp_cmdshell and I did, and everything works fine. I was planning to run the script on all servers today to automate my tasks.

N.B. i had admin previlages to my machine and some of the servers on the network. i use my domain account to connect to servers and what is the best practice if you have to monitor database servers? – DaniSQL – 2010-03-04T16:18:56.173

Best practice is to use the minimum privileges necessary to do the job :-) Really, if an admin user gets compromised, and it can easily happen, something could easily start spreading and doing things impersonating that admin user. For all you know you've managed to get a rootkit and someone is remote controlling your system. Have you checked other systems for odd log entries? Are you DHCP'd so someone else might have had your IP address, so you're checking the wrong machine for that time of supposed access to the coworker's computer? – Bart Silverstrim – 2010-03-04T17:00:46.153

If it's an automated attack, there should be periodic instances of attempted access, not just one. And you cross-referenced the time to make sure your laptop had that address when it happened? Are you able to run a packet sniffer, as someone or something may be spoofing your address? And is your coworker on a system that wasn't taken somewhere else with a similar IP network, so it looks like your system but wasn't? Also, you may want to use a boot disk as outlined in the link above, so if there is malware it isn't resident and hiding in memory when trying to find it. – Bart Silverstrim – 2010-03-04T17:02:41.143

I'd also try putting a system on the network running a packet sniffer to see if anything odd shows up. Look at arp table entries on some systems, see if something weird is listed there, and see if there are rogue systems showing up. Do you have wireless access points on the network that someone might have hopped onto? – Bart Silverstrim – 2010-03-04T17:04:03.980

Searching online...are you're running symantec? Your coworker may not have quite so much to worry about, if he was just recently doing updates. Check this: http://www.symantec.com/connect/forums/network-threat-protection-ntoskrnlexe-new

– Bart Silverstrim – 2010-03-04T17:07:38.433

I run sfc /scannow and everything is fine. My colleagues machine is fine too. I am a DBA and Sys admins are looking in to the problem. Do I have to worry about security of my SQL server instances that I connect from my laptop? – DaniSQL – 2010-03-04T17:35:20.907

Yes I am running symantec. – DaniSQL – 2010-03-04T17:43:52.187

From the sounds of the symantec link in my comments, it may be an issue with doing updates and symantec's threat program...you might get more info digging into that (pass it on to your admins) and see if it's a false alert due to symantec. If I were you I'd have reason to calm down a bit if it was just Symantec being a pain now. Maybe google can unearth other instances of it. Your searches are coming up clean and I found a few hits matching your description from symantec-related issues :-) – Bart Silverstrim – 2010-03-04T17:52:14.790

Thanks Bart. What makes me nervous is I turned on Xp_cmdshell yesterday and next day i was told my system was trying to modify somebody else's windows kernel. This might be a coincidence but I also know it is a good practice to turn off xp_cmdshell for security reasons. I have access to all database servers and i just want to make sure that my system is not compromised. – DaniSQL – 2010-03-04T18:18:34.347

The text of the message your describing sounds like something generated by the Sygate Personal Firewall application.

If your colleague has just installed their security patches from this past month it could be related to that, the February 2010 patches included updates to the Windows Kernel (aka ntoskrnl.exe). If there are kernel problems then the system is more likely to be blue screening and the crash dumps will provide you a wealth of information that can point to the problem software or possible infection.

Even if this is the cause of this message is benign, there may still be malware on the system. I would suggest you look for other indicators of compromise (poor performance, strange outbound network traffic, goofy popups, etc.)

Bob

Posted 2010-03-04T15:35:55.240

Reputation: 285

Thanks Bob. They patch all windows three weeks ago. I am not sure If they install their security patches to these laptop. Is there an easy way for me to know that?

Also something that comes from my IP tries to change the kernel of my colleague but it was denied by his machine. – DaniSQL – 2010-03-04T17:45:45.020

Bob, the message is generated by semantic reports and we found my ip in the backtrace information. – DaniSQL – 2010-03-04T19:20:27.713