So, I got alerted last night that source IP 126.96.36.199 was hitting my web server. It was scanned....heavily.
The FW blocked it...it all hit the clean-up rule, which is a bit weird. Usually, IPs that scan will hit open ports also (I've a few open). This one was one of those with a source port of 80 that isc.sans.org was reporting about a few weeks ago. The IP belongs to ThePlanet. TrustedSource shows some squirrely activity but nothing definitive. My IDS didn't pick up anything either. I also searched MyNetWatchman but the server is busted and craps out when I try to conduct searches. The scan started at 14:38 and ended at 17:45 EST.
I'll keep a watch out for further activity.
188.8.131.52 scanned the server today, generating 2144 FW log entries that were blocks triggered by the clean-up rule.
184.108.40.206 also scanned the server today, generating 487 FW log entries that were blocks triggered by the clean-up rule.