Strange scan behavior

[Daniel Martin <dtmartin24 () HOME COM>]

I have noticed a few people connect to some open tcp port on my
machine and then send the three bytes 05 01 02 - this first happened
on December 4th of last year on port 80, but has happened twice since
on port 27374 (yes, I have a subseven honeypot).

Is this some tcp stack vulnerability?  I ask because it just seems odd
that it would be sent to port 80, unless it was either a webserver or
general tcp vulnerability, and there's not much sense in sending a
webserver vulnerability to port 27374.

If it helps, the person who sent this weird request to my webserver
also sent the two bytes 04 01 on a different connection immediately
prior to this one.