The use of unusual, rare, and specialty TCP/IP ports are often used to sneak past relaxed firewall rules.  SANS ISC reports major spike in port 26 traffic

More weirdness on TCP port 26 (

Port 26 (tcp/udp) :: SpeedGuide

A little over a year ago, I wrote a diary asking what was going on with traffic on TCP port 26. So, last week when I noticed another spike on port 26.   Based on looking at my honeypot traffic, it looks like a possible new variant of Satori. I’m still not sure why they are expecting to find telnet on port 26, but this is what I’m seeing in the honeypot.