Strange repeating probes to port 80

> Dear list readers,
> for unknown reason I decided to create very lame honeypot. I took WXP,
> enabled IIS and forwarded ports 80 and 135 (both TCP and UDP). Then I
> started IIS logging and started Wireshark to capture everything on the
> wire. I was not expecting any special result but what I got is
> something I cannot explain.
> From remote host there is a communication request represented by SYN
> packet to the honeypot port 80. Honeypot responds with SYN/ACK and
> before it receives ACK, UDP datagram to port 80 is received from that
> host with payload of length of 19 bytes (sometimes it is 20 or even 21
> bytes, dunno why). Then after ACK from remote host TCP data is sent
> (it appears like HTTP data but it is not), usually with variable
> length of 20-80 bytes or so. Honeypot sends ACK to this, then there is
> a 59 seconds delay and then FIN/ACK from remote host followed by ACK
> and FIN/ACK by honeypot and ACK by remote host.
> Strange things i cannot explain are these:
> 1. UDP payload 3rd byte is always 02
> 2. I tried to connect back to these systems using netcat to the
> portnumber from which the UDP datagram came from: I tried this:
> ross@rommy:~$ nc 93.113.XXX.XXX 56856
> GET / HTTP/1.0
>
> HTTP/1.0 404 Not Found
> 3. Tried this:
> ross@rommy:~$ nc 93.116.XXX.XXX 56856
> HEAD / HTTP/1.0
> eáÊÃ|Ø(kN|ųDz«n»Íà
>                   DÐLq<e4á]ÌÐ %Ax&ߥ[P¾\ª(yVO´ÂËqî
> ÚØi¿d
> ò;°aw¼ý
> sY¶/
>
> 4.Now the most crazy thing is, that these "probes" repeat in
> relatively precise time interval - 7220 seconds.
>
> Can anybody explain me, what the heck is going on? Or am I just
> chasing a ghost? I can send the data sample upon request.
>
> bm
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>

> Dear list readers,
> for unknown reason I decided to create very lame honeypot. I took WXP,
> enabled IIS and forwarded ports 80 and 135 (both TCP and UDP). Then I
> started IIS logging and started Wireshark to capture everything on the
> wire. I was not expecting any special result but what I got is
> something I cannot explain.
> From remote host there is a communication request represented by SYN
> packet to the honeypot port 80. Honeypot responds with SYN/ACK and
> before it receives ACK, UDP datagram to port 80 is received from that
> host with payload of length of 19 bytes (sometimes it is 20 or even 21
> bytes, dunno why). Then after ACK from remote host TCP data is sent
> (it appears like HTTP data but it is not), usually with variable
> length of 20-80 bytes or so. Honeypot sends ACK to this, then there is
> a 59 seconds delay and then FIN/ACK from remote host followed by ACK
> and FIN/ACK by honeypot and ACK by remote host.
> Strange things i cannot explain are these:
> 1. UDP payload 3rd byte is always 02
> 2. I tried to connect back to these systems using netcat to the
> portnumber from which the UDP datagram came from: I tried this:
> ross@rommy:~$ nc 93.113.XXX.XXX 56856
> GET / HTTP/1.0
>
> HTTP/1.0 404 Not Found
> 3. Tried this:
> ross@rommy:~$ nc 93.116.XXX.XXX 56856
> HEAD / HTTP/1.0
> eáÊÃ|Ø(kN|ųDz«n»Íà
>                   DÐLq<e4á]ÌÐ %Ax&ߥ[P¾\ª(yVO´ÂËqî
> ÚØi¿d
> ò;°aw¼ý
> sY¶/
>
> 4.Now the most crazy thing is, that these "probes" repeat in
> relatively precise time interval - 7220 seconds.
>
> Can anybody explain me, what the heck is going on? Or am I just
> chasing a ghost? I can send the data sample upon request.
>
> bm
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
>
>