# Repeated scans, probles - multiple IPs, what should I do?

## jsnorman

Here is my log for today (similar pattern throughout last week), though becoming much more frequent in last few hours:

03/01/2006  00:13:20 **SYN Flood to Host** 192.168.15.101, 53456->> 64.233.179.99, 80 (from PPPoE Outbound)

02/28/2006  23:57:57 **TCP FIN Scan** 192.168.15.101, 49540->> 204.57.79.91, 80 (from PPPoE Outbound)

02/28/2006  23:57:57 **TCP FIN Scan** 192.168.15.101, 35942->> 66.135.208.200, 80 (from PPPoE Outbound)

02/28/2006  23:57:57 **TCP FIN Scan** 192.168.15.101, 34473->> 208.172.128.252, 80 (from PPPoE Outbound)

02/28/2006  23:51:42 **TCP FIN Scan** 192.168.15.101, 57452->> 216.113.180.102, 80 (from PPPoE Outbound)

02/28/2006  23:51:42 **TCP FIN Scan** 192.168.15.101, 55855->> 216.113.180.121, 80 (from PPPoE Outbound)

02/28/2006  23:51:42 **TCP FIN Scan** 192.168.15.101, 56560->> 216.113.180.106, 80 (from PPPoE Outbound)

I am using a hardware firewall (SMC), with stateful inspection (obviously) and also using MAC address filtering just to make sure. However, all these scans with increasing frequency make me a little nervous.

Is there anything I can/should be doing?

----------

## kg

Not being clear on the format of the log for your firewall, this looks suspiciously like it is logging outbound traffic.

The (from PPPoE Outbound) would seem to imply this is traffic originating from you.  

02/28/2006 23:51:42 **TCP FIN Scan** 192.168.15.101, 57452->> 216.113.180.102, 80 (from PPPoE Outbound) 

Were you looking at Ebay.com?  The 216.113.180.[102|106|121] addresses are all part of ebayimg.com.

Looks like your machine's IP address is 192.168.15.101 and you were surfing (dest. port 80).

Why your firewall seems to think you are sending TCP FIN Scans is a little unusual. 

Best bet is to search for hits relating to your firewall....

----------

## MrUlterior

 *jsnorman wrote:*   

> Here is my log for today (similar pattern throughout last week), though becoming much more frequent in last few hours:
> 
> 03/01/2006  00:13:20 **SYN Flood to Host** 192.168.15.101, 53456->> 64.233.179.99, 80 (from PPPoE Outbound)
> 
> 02/28/2006  23:57:57 **TCP FIN Scan** 192.168.15.101, 49540->> 204.57.79.91, 80 (from PPPoE Outbound)
> ...

 

ROFL! Put on your tin foil hat! Ebay is out to get you! They've used surreptious mind control devices to induce you to visit their site! I bet if you check your logs now you'll see that 140.211.166.170 is after your soul too!

----------

