Reconnaissance is the first thing that an attacker will do to find a juicey target. Port scans (aka port knocking) is only one form of recon (war-dialing is another example) and it serves the purpose of revealing what services the target host has wide open.

Once an attacker finds open ports such as NetBios or FTP they will do some research about the open ports to see if any vulnerabilities exist and if so, will come back later with the right tool to compromise your system.

In a lot of cases the attacks are spoofed, meaning, the attacker has either compromised another system and is attacking you from there or else they are using phoney source IP addresses to cause a condition whereby your system becomes completely "owned" by them and they can re-visit anytime and your system will be the next porn mirror or point of attack.