Backup exec 9.1 - Windows 2003 FTP port 4711

[UCSBphy]

I am running Backup Exec 9.1 on Windows 2003. Someone discovered this vulnerability:

http://seer.support.veritas.com/docs/273420.htm

and hacked in. The Computing Services here at UCSB have null routed me until I can prove to them that my system is clean.

Computing services have told me that there is a FTP server running on port 4711. No matter what I use, netstat, Fport etc, I can not seem to find anything on port 4711. They have blocked and unblocked me 3 times, but it keep reoccuring. They call it HackerDefender.

I patched Backupexec and everything, but I need to know how to undo what has bee done.

 

[Serbtastic]

If you run the following command:

netstat -ano|find "4711"

Does anything come back as listening? Use the PID to find what process is listening.

 

[UCSBphy]

Nothing comes back. I can connect to the FTP server via Filezilla, but none of my passwords work.

Thanks,
Alex

 

[Serbtastic]

If nothing comes back, then nothing is listening on port 4711. As a final test, try the following command, and post the output:

telnet localhost 4711

 

[UCSBphy]

It works. I get "220 Microsoft System Service" back. Is there a easy way to close this port?

Alex

 

[dirtyhat]

This may be unrelated, but eMule typically uses port 4711.

In case you are not farmiliar with this, it is a file sharing client similar to edonkey2000. As with many of these types of offerings, they can also be configured to host as well.

Just a thought.

Dirtyhat