So, I got alerted last night that source IP 220.127.116.11 was hitting my web server. It was scanned....heavily.
The FW blocked it...it all hit the clean-up rule, which is a bit weird. Usually, IPs that scan will hit open ports also (I've a few open). This one was one of those with a source port of 80 that isc.sans.org was reporting about a few weeks ago. The IP belongs to ThePlanet. TrustedSource shows some squirrely activity but nothing definitive. My IDS didn't pick up anything either. I also searched MyNetWatchman but the server is busted and craps out when I try to conduct searches. The scan started at 14:38 and ended at 17:45 EST.
I'll keep a watch out for further activity.
18.104.22.168 scanned the server today, generating 2144 FW log entries that were blocks triggered by the clean-up rule.
22.214.171.124 also scanned the server today, generating 487 FW log entries that were blocks triggered by the clean-up rule.