TCP/UDP Ports I've been scanned on over the last 13 months:

ftp-data        20/tcp
ftp             21/tcp
pcAnywhere      22/udp
telnet          23/tcp
smtp            25/tcp          mailserver
domain          53/tcp          nameserver      # name-domain server
bootps          67/udp
finger          79/tcp
www             80/tcp          http            # WorldWideWeb HTTP
tacnews         98/tcp          TAC News
pop-2           109/tcp         postoffice      # POP version 2
pop-3           110/tcp                         # POP version 3
sunrpc          111/tcp         portmapper      # RPC 4.0 portmapper TCP
auth            113/tcp         authentication tap ident
nntp            119/tcp         readnews untp   # USENET News Transfer Protocol
netbios-ns      137/tcp                         # NETBIOS Name Service
netbios-ns      137/udp         could be "normal traffic", like 113 ident
netbios-ssn     139/tcp                         # NETBIOS session service
netbios-ssn     139/udp
imap            143/tcp    Internet Message Access Protocol
snmp            161/udp    SNMP
microsoft-ds    445/tcp    Microsoft-DS
fcp             510/tcp    FirstClass Protocol
printer         515/tcp         spooler         # line printer spooler
ncp             524/tcp    NCP
rlzdbase        635/tcp
socks           1080/tcp                        # socks proxy server
                1243/tcp
ingreslock      1524/tcp
                2140/tcp                2110-2164  Unassigned
rockwell-csp2   2222/tcp   Rockwell CSP2
                3128/tcp                3107-3129  Unassigned
pcanywherestat  5632/tcp   pcANYWHEREstat
pcanywherestat  5632/udp   pcANYWHEREstat
                6970/tcp
webcache        8080/tcp                        # WWW caching service
                9088/tcp
                9704/tcp
                12345/tcp
                19000/tcp from port 20
sub-7 trojan    27374/tcp
                28431/tcp       unknown
trojan          31337/udp
                31789/udp
                31790/udp
                32772/tcp
                32773/tcp
unix traceroutes 33434-33600/udp  33437
                36306/tcp
                37875/tcp
                45298/tcp
                47017/tcp

Here is an example of somebody trying to get past my firewall and get
to my pop server by configuring their machine to have a source port of
20, which gets left open for passive ftp:

Jan 28 05:26:30 zouave kernel: Packet log: input DENY eth0 PROTO=6 
209.10.176.98:20 209.204.XXX.XXX:110 L=40 S=0x00 I=14903 F=0x0000 T=244 SYN (#54) 

Who what is?  Who knows, they forged a bogus address:

frizzen:/home/frankb 51% nslookup 209.10.176.98
Server:  sonic.net
Address:  208.201.224.11
*** sonic.net can't find 209.10.176.98: Non-existent host/domain

This scan got stopped for two reasons:
1) I blocked all access to port 110 before I opened connections from
a source port of 20.
2) I only allow connection from a source port of 20 to ports over 1023.