[ErikRogneby]

Anyone know why 21320 is such a big target? Spybot S&D?

[psykovsky]

A quick google search seems to indicate that 21320 is a port commonly used to setup a proxy after an infection. It's probably the attacker trying to use the honeypot as a proxy after a "successful" infection of the machine.