While examining flow records for a compromised host, I observed several connection attempts from various Chinese IPs, all in the same /24. The source port was always 80, the destination port always 33824. I don’t see anything obvious on the googles or sites like the Internet Storm Centre, so now there will (eventually) at least be something Google-able. I’d appreciate hearing from any other ITSec types about what this might be, either specifically or in general. My suspicion is this is probing for some botnet or another, with source port 80 to try to get by stupid firewalls, but I lack full content data to prove or disprove this theory.