How is the worm able to hit my closed port?
 

How is the worm able to hit my closed port?

I have port 1434, but Snort is logging that a worm is hitting it from a Chinese computer:
MS-SQL Worm propagation attempt 2008-05-03 21:02:13 59.53.50.35:3391 xx.xx.xx.xx:1434 UDP

Also, I have that whole b block blocked, how are they able to send the worm still?
# added 59.53.0.0/16 on 04/11/08 22:04:19
59.53.0.0/16

TIA!

Snort sees traffic coming from the wire before it reaches your network stack.

Just means that the worm is attempting. Doen't mean it's being successful.

Exactly. Whether it's successful or not will mostly depend on what happens when the traffic hits the TCP/IP stack. For example (@abefroman), if you have iptables rules which filter traffic coming into that port, Netfilter will take care of it after it's been Snorted.

Remember that computer crimes are almost-always crimes of opportunity. If you throw out a packet to a randomly-chosen IP address, it is quite disturbing how often you'll get a response from a Windows box that is perfectly willing to obey your every command with the full power and rights of an all-powerful Administrator. (Gliding past their so-called "anti-virus defenses" is just about as difficult as putting-on a Groucho Marx glasses-and-moustache "disguise.")

You can stop these opportunists dead-in-the-water with the simplest bit of security awareness, which is what literally tens of millions of computer users don't have. The attackers won't linger: there are far too many rich-pickings elsewhere.