In the LUC course, we wrote an IDS program in perl. After setting up my own server, I put my IDS there and add on some simple features. When ever there is an possible attack, no matter if it's brute force, port scan, I will block the source IP and also port scan back with "nmap -A -PN", then output the result in my apache directory. It's been running for a while. And my IDs has collected quite a lot of interesting reports.
As far as I know, the source IP can be a hacked machine or from a network. Althought I may not able to track down the attacker, but I would like to see where it's from. One of the source has an entry mentioned about an site called "http://echelon.pl/", it blog talk about IT security or.. IPSec... I'm thinking how could it end up attacking my server? haha...
106/tcp open pop3pw Poppassd 1.8.5 (http://echelon.pl/pubs/poppassd.html)
Anywya, if you're interested, you can see all the nmap result here.. And have some mercy.. don't hack my server.. ;-)