Port 1434

There is something out there scanning port
1434. My firewall has been beating back attempts
to connect to my machine on port 1434, all
coming from China. What kind of virus or trojan
would be trying to access machines on port 1434.
That is one advantage of having a software firewall
like Tiny. I am instantly notified when something
not in the rulset is attempted, and asks me what
I want to do. Your hardware appliances have not
learned that trick yet.

Re: Port 1434

On Wed, 29 Jun 2005 00:25:43 -0700, Charles Newman wrote:
>
> There is something out there scanning port
> 1434. My firewall has been beating back attempts
> to connect to my machine on port 1434, all
> coming from China. What kind of virus or trojan
> would be trying to access machines on port 1434.

http://isc.sans.org/port_details.php?port=1434
http://lists.gpick.com/portlist/lookup.asp?port=1434
http://www.dshield.org//port_report.php?port=1434

Re: Port 1434

Charles Newman wrote:

>
> There is something out there scanning port
> 1434. My firewall has been beating back attempts
> to connect to my machine on port 1434, all
> coming from China. What kind of virus or trojan
> would be trying to access machines on port 1434.
> That is one advantage of having a software firewall
> like Tiny. I am instantly notified when something
> not in the rulset is attempted, and asks me what
> I want to do. Your hardware appliances have not
> learned that trick yet.

Port 1434 is the SQL Server port. Do you have SQL Server running on a
machine? If you don't, it's a moot point. BTW, port 1434 is closed by
default on A NAT router. If you had a router that also did logging and had
a logviewer to view the logs, one could easily see the attempts on port
1434 the *closed by default port*. Port 1434 is closed by default on the FW
appliance too and the logs would show the attempts on the port. No
questions need to be asked by either solution.

No SQL server Admin in their right mind would have SQL Server exposed to the
public Internet setting rules to open the port anyway. If a Web application
as an example wanted to access SQL Server, then the client program through
a server side object a database access program/object -- DLL would get the
request from the client program and do the updating, deleting or adding of
data to the database tables. The same would hold true for Oracle or Access
too. But of course, no one would use Access as it's not a multi user
network database solution and that's why there is SQL Server. You being an
applications network developer for accounting systems accessing databases
should know this kind of stuff I would think.

Duane :)

Re: Port 1434

it might be Citrix...Check out..

Re: Port 1434

Post removed (X-No-Archive: yes)

Re: Port 1434

On Wed, 29 Jun 2005 00:25:43 -0700, "Charles Newman"
wrote:

> There is something out there scanning port
>1434. My firewall has been beating back attempts
>to connect to my machine on port 1434, all
>coming from China. What kind of virus or trojan
>would be trying to access machines on port 1434.

Just some definitions to clear things up a bit. Generally speaking, a
virus or trojan will attack a computer from within, not make attacks
outward to other computers. Zombie networks or botnets (which are
*created* using viruses and trojans) can probe your ports in the
manner described. Client programs to trojans will probe the target
port, I don´t think there is a word for these clients but they are not
viruses or trojans themselves.

Port 1434 is home to SQL server like many have already stated. There
are documented attack possibilities to SQL server the most trivial to
use the default password or make a dictionary attack to logon. Earlier
Microsoft versions of SQL had serious security flaws which allowed
access to the system files and the possibility to inject DLLs that
would compromise a system once logged in. Knowing that sysadmins
sometimes lag update patches, these probes are an attempt to find
vulnerable SQL servers and own the computer.

Take a look at this article:
http://www.samspublishing.com/articles/article.asp?p=30124&s eqNum=2&rl=1
it describes the attack and has some tips on how to protect yourself.
This is, of course, only relevant if you are running an SQL server in
the first place.

> That is one advantage of having a software firewall
>like Tiny. I am instantly notified when something
>not in the rulset is attempted, and asks me what
>I want to do. Your hardware appliances have not
>learned that trick yet.

Not true. Although not all hardware appliances have logging
capabilities.

Re: Port 1434

In the Usenet newsgroup comp.security.firewalls, in article
, Charles Newman wrote:

> There is something out there scanning port
>1434. My firewall has been beating back attempts
>to connect to my machine on port 1434, all
>coming from China.

Oh, well done, brave firewall. One might ask if port 1434 is open
on your systems behind the firewall, but I'd imagine that's another
computer task that is beyond your skill set.

>What kind of virus or trojan would be trying to access machines on port 1434.

What's the matter - is your access to google also broken due to your inept
firewall setup? We already know that you lack all knowledge of networking
fundamentals, as you constantly demonstrate.

> That is one advantage of having a software firewall like Tiny. I am
>instantly notified when something not in the rulset is attempted, and
>asks me what I want to do.

No, No, No! It's supposed to block all network traffic when that happens.
That gives you time to get to another computer system, log into an ISP
using a different connection (because you have stopped the regular setup)
and post a wailing cry on Usenet asking "What do I do now???"

>Your hardware appliances have not learned that trick yet.

Charles, you have no idea what a hardware appliance can or can not do,
so quite making intentionally false statements. Logging is easy to set
up (though obviously beyond your ken). However, most production setups
don't bother to scream everytime a gnat farts within fifty miles. Did
your childhood reading not include the Grimes Fairytails - specifically
about the boy who called 'wolf' to often? Your firewall apparently
blocked the connection attempts - get on with your life if you have one.

Old guy

Re: Port 1434

On Wed, 29 Jun 2005 00:25:43 -0700, Charles Newman spoketh

>
> There is something out there scanning port
>1434. My firewall has been beating back attempts
>to connect to my machine on port 1434, all
>coming from China. What kind of virus or trojan
>would be trying to access machines on port 1434.
> That is one advantage of having a software firewall
>like Tiny. I am instantly notified when something
>not in the rulset is attempted, and asks me what
>I want to do. Your hardware appliances have not
>learned that trick yet.
>


I see that the clue fairy hasn't come around to Charlies house while
I've been gone.

My hardware firewall (even the cheapest one I've had) blocks all this by
default without nagging me about it. It simply drops it, and moves on
with life. You on the other hand, needs to take an action every time
something new comes around... Now who's the fool?

That's an SQL server port, btw, and it's a very old exploit, been going
on for years.

Lars M. Hansen
http://www.hansenonline.net
(replace 'badnews' with 'news' in e-mail address)

Re: Port 1434

On Wed, 29 Jun 2005 00:25:43 -0700, Charles Newman wrote:

> There is something out there scanning port
> 1434. My firewall has been beating back attempts
> to connect to my machine on port 1434, all
> coming from China. What kind of virus or trojan
> would be trying to access machines on port 1434.

Most likely a worm.

> That is one advantage of having a software firewall
> like Tiny. I am instantly notified when something
> not in the rulset is attempted, and asks me what
> I want to do. Your hardware appliances have not
> learned that trick yet.

Oh, really? Here is a snippet of a hardware appliance log:

07-03-2005 08:07:31 Local7.Warning 192.168.102.1 2005 Jul 03 07:08:04
(FR114P-2c-f2-3a) 64.161.30.147 UDP packet - Source:61.172.240.137,32930
,WAN - Destination:64.161.30.147,1027 ,LAN [Drop] - [Inbound Default rule
match]

But why would you want an "instant notification" instead of a log entry?

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

Re: Port 1434

In article <1xfs10256j69a.dlg@aol.prodigy.net>,
spammers.are@immoral.invalid says...
> On Wed, 29 Jun 2005 00:25:43 -0700, Charles Newman wrote:
>
> > There is something out there scanning port
> > 1434. My firewall has been beating back attempts
> > to connect to my machine on port 1434, all
> > coming from China. What kind of virus or trojan
> > would be trying to access machines on port 1434.
>
> Most likely a worm.
>
> > That is one advantage of having a software firewall
> > like Tiny. I am instantly notified when something
> > not in the rulset is attempted, and asks me what
> > I want to do. Your hardware appliances have not
> > learned that trick yet.
>
> Oh, really? Here is a snippet of a hardware appliance log:
>
> 07-03-2005 08:07:31 Local7.Warning 192.168.102.1 2005 Jul 03 07:08:04
> (FR114P-2c-f2-3a) 64.161.30.147 UDP packet - Source:61.172.240.137,32930
> ,WAN - Destination:64.161.30.147,1027 ,LAN [Drop] - [Inbound Default rule
> match]
>
> But why would you want an "instant notification" instead of a log entry?

Back when the SQL Slammer worm hit we were getting more than 680 hits a
minute, the last thing I would have wanted is some lame a$$ personal
firewall doing the blocking, the firewall appliance logs perfectly well
enough.

Charles is just a noob that knows less than most noobs.

--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)