XP Home, limited user account. Newbie to this group - I know next to
nothing about ports but am an experienced computer user otherwise.
Can anyone interpret this for me - just started to get these recently -
this is only the second one. Got it while using a user account in my XP
Home machine.
Security Alert - Medium Rick
Norton Internet Worm Protection has detected and blocked an intrusion
attempt.
The text in More Info was as follows:
Intrusion: MS SQL PacketResolution DoS
Intruder: 192.168.1.1 (domain(53))
Risk Level: Medium.
Protocol: UDP
Attacked IP: COMPUTER NAME (192.168.1.2)
Attacked Port: ms-sql-m(1434)
The Intruder address was my router, to which one Win98SE computer is
connected by ethernet (not mentioned in report) and the other on the
192.168.1.2 address is my XP Home machine, wirelessly connected to the
router.
I clicked OK and then the wireless connection lost its IP and
connectivity - and I had no internet access on the wireless XP machine.
Router was still connected to internet fine - all lights glowing properly.
Computer upstairs 192.168.1.3 was on and could connect to the internet -
no one was using it at the time of the alert. It has Zone Alarm free
version to prevent any outgoing stuff, and also NAV and Spybot S&D
resident (teatimer). It is on Win98SE. No alerts showing.
This machine runs Windows XP Home (user account) has NAV, Counterspy and
Zone Alarm free. Wireless network is WPA-PSK with 63 character pw.
Log off and on did not restore the wireless (always does usually).
Log off and then on to Admin acct - again wireless network did not work
but I got a windows error - windows is recovering from a serious error.
Still no connection.
Did a warm reboot and then everything was back to normal.
I do a Norton AV and Counterspy scan daily. Clear.
I think all the Windows/wireless hassle was due to the Norton blocking
the request, and I think the "intrusion" was legitimate - but I don't
want to "allow" it unless someone can explain the details to me. Many
thanks to any network gurus who can interpret please.
Rev Robert M Jones, Wimborne Baptist Church, UK
http://www.wimborne-baptist.org.uk
Free trial of Mailwasher Pro - effective email spam filter - (commission
goes to our partners in Bulgaria)
http://fta.firetrust.com/index.cgi?id=420Port 1434 is the SQL Browser service used for locating SQL Servers.
I would NOT allow Ports 1434 or 1433 to be open to the outside.
Is this a NAT router directly connected to your DSL/Cable modem?
Arnie Rowland, Ph.D.
Westwood Consulting, Inc
Most good judgment comes from experience.
Most experience comes from bad judgment.
- Anonymous
You can't help someone get up a hill without getting a little closer to the
top yourself.
- H. Norman Schwarzkopf
"Robert M Jones" <robert53newsgroups-ms2@.NOSPAMyahoo.co.uk> wrote in message
news:uTWSOL$DHHA.4620@.TK2MSFTNGP04.phx.gbl...
> XP Home, limited user account. Newbie to this group - I know next to
> nothing about ports but am an experienced computer user otherwise.
> Can anyone interpret this for me - just started to get these recently -
> this is only the second one. Got it while using a user account in my XP
> Home machine.
> Security Alert - Medium Rick
> Norton Internet Worm Protection has detected and blocked an intrusion
> attempt.
> The text in More Info was as follows:
> Intrusion: MS SQL PacketResolution DoS
> Intruder: 192.168.1.1 (domain(53))
> Risk Level: Medium.
> Protocol: UDP
> Attacked IP: COMPUTER NAME (192.168.1.2)
> Attacked Port: ms-sql-m(1434)
> The Intruder address was my router, to which one Win98SE computer is
> connected by ethernet (not mentioned in report) and the other on the
> 192.168.1.2 address is my XP Home machine, wirelessly connected to the
> router.
> I clicked OK and then the wireless connection lost its IP and
> connectivity - and I had no internet access on the wireless XP machine.
> Router was still connected to internet fine - all lights glowing properly.
> Computer upstairs 192.168.1.3 was on and could connect to the internet -
> no one was using it at the time of the alert. It has Zone Alarm free
> version to prevent any outgoing stuff, and also NAV and Spybot S&D
> resident (teatimer). It is on Win98SE. No alerts showing.
> This machine runs Windows XP Home (user account) has NAV, Counterspy and
> Zone Alarm free. Wireless network is WPA-PSK with 63 character pw.
> Log off and on did not restore the wireless (always does usually).
> Log off and then on to Admin acct - again wireless network did not work
> but I got a windows error - windows is recovering from a serious error.
> Still no connection.
> Did a warm reboot and then everything was back to normal.
> I do a Norton AV and Counterspy scan daily. Clear.
> I think all the Windows/wireless hassle was due to the Norton blocking the
> request, and I think the "intrusion" was legitimate - but I don't want to
> "allow" it unless someone can explain the details to me. Many thanks to
> any network gurus who can interpret please.
> --
> Rev Robert M Jones, Wimborne Baptist Church, UK
> http://www.wimborne-baptist.org.uk
> Free trial of Mailwasher Pro - effective email spam filter - (commission
> goes to our partners in Bulgaria)
> http://fta.firetrust.com/index.cgi?id=420|||Arnie Rowland wrote:
> Port 1434 is the SQL Browser service used for locating SQL Servers.
> I would NOT allow Ports 1434 or 1433 to be open to the outside.
> Is this a NAT router directly connected to your DSL/Cable modem?
>
Thanks for the reply. This is all a mystery to me.
Set up is an ADSL Router with NATS firewall incorporated. I have Skype
if that is relevant - the entry for that against its icon in Zone Alarm
is "Listening to Port(s) TCP:80,443,14695"
The router is set with IP Filtering enabled, for filtering inbound
traffic - there are no entries in the table in that section.
The section on Virtual Server Configuration DMZ host has:
"Those IP packets from the Internet that do NOT belong to any
applications configured in the port forwarding table will be: Discarded"
There is nothing set up in the port forwarding section
Any more checking I should do? The router NATS seems to do its job in
terms of the Shields Up tests, but I haven't then disabled the NATS to
test the actual ZA software firewall on the machine itself.
Rev Robert M Jones, Wimborne Baptist Church, UK
http://www.wimborne-baptist.org.uk
Free trial of Mailwasher Pro - effective email spam filter - (commission
goes to our partners in Bulgaria)
http://fta.firetrust.com/index.cgi?id=420|||>>> On 11/24/2006 at 11:03 AM, in message
<uTWSOL$DHHA.4620@.TK2MSFTNGP04.phx.gbl>, Robert M
Jones<robert53newsgroups-ms2@.NOSPAMyahoo.co.uk> wrote:
> Security Alert - Medium Rick
> Norton Internet Worm Protection has detected and blocked an
> intrusion
> attempt.
> The text in More Info was as follows:
> Intrusion: MS SQL PacketResolution DoS
> Intruder: 192.168.1.1 (domain(53))
> Risk Level: Medium.
> Protocol: UDP
> Attacked IP: COMPUTER NAME (192.168.1.2)
> Attacked Port: ms-sql-m(1434)
Do you even have SQL installed on your machine? My guess is that you
don't.
As a result, port 1434 is not used by any specific program, but is
available for any program that needs a new UDP port to use.
Because of this, the DNS resolver is using it to make a DNS request
(your name server is probably set as 192.168.1.1). Your DNS server
responds to port 1434. However, Norton incorrectly classifies this as
an attack. It probably isn't.|||Joel Maslak wrote:
> <uTWSOL$DHHA.4620@.TK2MSFTNGP04.phx.gbl>, Robert M
> Jones<robert53newsgroups-ms2@.NOSPAMyahoo.co.uk> wrote:
> Do you even have SQL installed on your machine? My guess is that you
> don't.
> As a result, port 1434 is not used by any specific program, but is
> available for any program that needs a new UDP port to use.
> Because of this, the DNS resolver is using it to make a DNS request
> (your name server is probably set as 192.168.1.1). Your DNS server
> responds to port 1434. However, Norton incorrectly classifies this as
> an attack. It probably isn't.
That's sort of what I thought - but until I can be sure I did not want
to give Norton any instructions to allow or remember - just saying "ok"
when I get the block message.
Any advice on checking I can do (other than routine AV and spyware
scans) most welcome.
Rev Robert M Jones, Wimborne Baptist Church, UK
http://www.wimborne-baptist.org.uk
Free trial of Mailwasher Pro - effective email spam filter - (commission
goes to our partners in Bulgaria)
http://fta.firetrust.com/index.cgi?id=420sql
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment