The guy who scanned you put your external IP address as the source when it set the packets. This is more of a denial of service attack than a scan because the scanner would never have seen the replies from you system. -----Original Message----- From: Bob Cheeseman [mailto:bob@xxxxxxxxxxx] Sent: Thursday, January 24, 2002 13:18 To: [ISAserver.org Discussion List] Subject: [isalist] ISA server attacking itself? http://www.ISAserver.org hmmm, found this in my event viewer this am. 206.47.xx.xx is the external IP address of the ISA server itself. Event Type: Warning Event Source: Microsoft ISA Server Control Event Category: Packet filter Event ID: 15105 Date: 1/24/2002 Time: 2:24:53 AM User: N/A Computer: AERYX-SBS Description: ISA Server detected an all port scan attack from Internet Protocol (IP) address 206.47.xx.xx. For more information about this event, see ISA Server Help. Data: 0000: 1f 00 00 00 .... Any idea what's going on? Thanx Bob ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: gary.anderson@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')