Solved: What is lock.sah? | Experts Exchange

Create Account

OS Security

Questions

Followers

Top Experts

jwstock

What is lock.sah?

I have found a file on my webserver running windows 2000 server called lock.sah. It is in my system32 directory. Is this a legitimate file?

Zero AI Policy

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

SheharyaarSaahil🇦🇪

Hello jwstock =)

Its not present in my machine, and if you will search on google, you will notice that many results are showing that its related to some SETI@Home or SETIWatch type program(i think its a screensaver).... so are you having such kind of program :-?
And have you checked this file's properties by right clicking it and looking in the Properties ??

SOLUTION

SheharyaarSaahil🇦🇪

membership

Signing up is free and takes 30 seconds. No credit card required.

Create Account

Lee W, MVP🇺🇸

As SheHar suggests, this is almost certainly files from SETI@HOME. Search your drive for more .SAH (S as in SETI, A as it AT, H as in HOME). you'll probably find several.

jwstock

ASKER

I did run a search and found several .sah files. My only confusion is that SETI@home is not installed on this machine and according to the creation date on the files they have been loaded only recently. Some of them were updated today? I wil run the tool and see what it finds, but something tells me that there are bigger issues here.

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

SheharyaarSaahil🇦🇪

>> but something tells me that there are bigger issues here.
hmmmmm i dont think so..... if they are related to some BIG or Known viruses or trojans..... they must be common everywhere and there should be lots of information on them.
You dont worry :)

Lee W, MVP🇺🇸

It could be that SETI@home WAS installed - the command line version - there would be no trace of the program in Add/Remove programs if it were the command line version. I knew a guy who was obsessed with running it and did so but renaming the executable as something like a Windows service so you might THINK it was a Windows program, but it wasn't. What are the names of two or three of the other files?

Lee W, MVP🇺🇸

ftp://alien.ssl.berkeley.edu/pub/setiathome-3.08.i386-winnt-cmdline.exe will download the command line version. Also, note that those files are created in the directory the command was run in. You can find out who likely put the files there by opening the smaller .SAH files in notepad. One should contain the email address of the SETI@HOME user who was running them.

Get a FREE t-shirt when you ask your first question.

We believe in human intelligence. Our moderation policy strictly prohibits the use of LLM content in our Q&A threads.

jwstock

ASKER

In viewing processes I found a process called svhost.exe not svchost.exe that was hammering my CPU. It was created in the system32 directory on the same day as the .sah files. Also INSTSRV.exe and SRVANY.exe were created the same day. I know that those are NT files used for creating services in NT/2000, but no one here has ever used them to my knowledge. I will continue to investigate, but this is getting weird.

SheharyaarSaahil🇦🇪

>> svhost.exe
this is for Sure... a Nasty one!
but the other two are really the files for running applications as services..... hmmmmm interesting! :)

ASKER CERTIFIED SOLUTION

Lee W, MVP🇺🇸

membership

Signing up is free and takes 30 seconds. No credit card required.

Create Account

jwstock

ASKER

Good call leew. I opened the svhost.exe in wordpad, mostly compiled jibberish, but 2/3's of the way through I found some notes. This is the Seti@home executable. Unfortunately I could not find anything in the .sah files that will give up the id of who did this. The only user reference that I found was socks. I will have to keep searching, but I do appreciate the help.

EARN REWARDS FOR ASKING, ANSWERING, AND MORE.

Earn free swag for participating on the platform.

OS Security

Questions

Followers

Top Experts

Operating system security (OS security) is the process of ensuring OS integrity, confidentiality and availability. OS security refers to specified steps or measures used to protect the OS from threats, viruses, worms, malware or remote hacker intrusions. OS security encompasses all preventive-control techniques, which safeguard any computer assets capable of being stolen, edited or deleted if OS security is compromised, including authentication, passwords and threats to systems and programs.