3

I am not sure this question belongs her or not but let me try.

When I get to office this morning One of my colligues had a problem with his laptop and told me he had trouble restarting it and when he finally does he got the follwoing message and it says everything was coming from my IP(laptop)

Application has changed since the last time you opened it, process id: 0
Filename: C:\Windows\system32\ntoskrnl.exe
The change was denied by user.
---- Modules changed: 1 ----
C:\Windows\system32\ntoskrnl.exe
---- New modules: 0 ----

The only change I made to my laptop is I turn on XP_cmdshell yesterday since i was not able to run some T-SQL script. I dont know whetehr it is related or not.

I am on win xp sp3, and SQL server 2008

Please help me understand if my system is compromised and this is a problem at all.

Thanks,

UPDATE: I run Antivirus and it comes clean!

Improve this question
0

3 Answers 3

Reset to default
2

Can you run the System File Checker on your system? At a command prompt type sfc/runnow and be sure to have your Windows XP disk handy.

Improve this answer
6
  • Thanks Dave. I am running anti virus now. Can i simultaneously run system file checker?
    – DaniSQL
    Commented Mar 4, 2010 at 16:21
  • I would not run the file checker at teh same time
    – Dave M
    Commented Mar 4, 2010 at 16:32
  • I have run sfc /scannow and everything is fine.
    – DaniSQL
    Commented Mar 4, 2010 at 17:32
  • does that mean I am fine and can take my laptop online now?
    – DaniSQL
    Commented Mar 4, 2010 at 17:48
  • If everything is coming up clean...see my comments in my answer below. I am really suspecting it's an issue with Symantec.
    – Bart Silverstrim
    Commented Mar 4, 2010 at 17:52
1

I would think it depends on what your script does, for one.

To see if your system was infected with something, I'd start scanning it with updated antivirus definitions of your favorite scanner as well as ad-aware and spybot search-and-destroy. You can also run process explorer to test and see if there's unusual processes running in the background and autoruns (both of these are part of Sysinternals, google for the free download).

If you're handy with Linux, you can set up a system or VM to intercept your laptop's network traffic (or have a mirrored port on the switch) monitor outgoing network traffic from your laptop to look for suspicious activity, and check logs of other machines on your network to see if your computer is trying to access files or copy things to other places without permission. If you're an admin user on the network there's really no telling how far malware could have gotten through the hidden system shares and other shares you have legitimate access to. Have servers updated with new virus definitions and have them do a scan as well.

If nothing really stands out after checking your own system you could also run a chkdsk on your colleagues computer, just to check and see if for some reason there's corruption, but you said that this is logged somewhere that had your system's IP showing up...so that is rather odd.

Run as much of the checks offline as soon as possible. You need to be online long enough to get updates and latest signatures and it sounds like if there's an infection, the damage was done already, but as soon as you can, get your laptop offline to check for infections and cleanup.

This link seems to have some good information on spyware removal.

Improve this answer
10
  • Thank you. My antivirus is uptodate and I am already running symantec antivirus to see if there is anything going on. Also i already took out the laptop offline. The script I run is just a simple script that is used to automate database server monitoring. It checks if all the jobs on sql server run successful or failed, how much diskspace I have left on each disk and stuff like that and email it to me. I got it from sql server central (sqlservercentral.com/articles/…)
    – DaniSQL
    Commented Mar 4, 2010 at 16:18
  • ....So before I run it on my servers I tested out on my laptop and it was not successful. it asks me to turn on xp_cmdshell and I did, and everything works fine. I was planning to run the script on all servers today to automate my tasks. N.B. i had admin previlages to my machine and some of the servers on the network. i use my domain account to connect to servers and what is the best practice if you have to monitor database servers?
    – DaniSQL
    Commented Mar 4, 2010 at 16:18
  • Best practice is to use the minimum privileges necessary to do the job :-) Really, if an admin user gets compromised, and it can easily happen, something could easily start spreading and doing things impersonating that admin user. For all you know you've managed to get a rootkit and someone is remote controlling your system. Have you checked other systems for odd log entries? Are you DHCP'd so someone else might have had your IP address, so you're checking the wrong machine for that time of supposed access to the coworker's computer?
    – Bart Silverstrim
    Commented Mar 4, 2010 at 17:00
  • If it's an automated attack, there should be periodic instances of attempted access, not just one. And you cross-referenced the time to make sure your laptop had that address when it happened? Are you able to run a packet sniffer, as someone or something may be spoofing your address? And is your coworker on a system that wasn't taken somewhere else with a similar IP network, so it looks like your system but wasn't? Also, you may want to use a boot disk as outlined in the link above, so if there is malware it isn't resident and hiding in memory when trying to find it.
    – Bart Silverstrim
    Commented Mar 4, 2010 at 17:02
  • I'd also try putting a system on the network running a packet sniffer to see if anything odd shows up. Look at arp table entries on some systems, see if something weird is listed there, and see if there are rogue systems showing up. Do you have wireless access points on the network that someone might have hopped onto?
    – Bart Silverstrim
    Commented Mar 4, 2010 at 17:04
1

The text of the message your describing sounds like something generated by the Sygate Personal Firewall application.

If your colleague has just installed their security patches from this past month it could be related to that, the February 2010 patches included updates to the Windows Kernel (aka ntoskrnl.exe). If there are kernel problems then the system is more likely to be blue screening and the crash dumps will provide you a wealth of information that can point to the problem software or possible infection.

Even if this is the cause of this message is benign, there may still be malware on the system. I would suggest you look for other indicators of compromise (poor performance, strange outbound network traffic, goofy popups, etc.)

Improve this answer
2
  • Thanks Bob. They patch all windows three weeks ago. I am not sure If they install their security patches to these laptop. Is there an easy way for me to know that? Also something that comes from my IP tries to change the kernel of my colleague but it was denied by his machine.
    – DaniSQL
    Commented Mar 4, 2010 at 17:45
  • Bob, the message is generated by semantic reports and we found my ip in the backtrace information.
    – DaniSQL
    Commented Mar 4, 2010 at 19:20

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .