The use of unusual, rare, and specialty TCP/IP ports are often used to sneak past relaxed firewall rules. SANS ISC reports major spike in port 26 traffic
A little over a year ago, I wrote a diary asking what was going on with traffic on TCP port 26. So, last week when I noticed another spike on port 26. Based on looking at my honeypot traffic, it looks like a possible new variant of Satori. I’m still not sure why they are expecting to find telnet on port 26, but this is what I’m seeing in the honeypot.