Dameware scans, worm?

["Keith T. Morgan" <keith.morgan () terradon com>]

We've seen an increase in scans for dameware (tcp 6129) over the past
four days.  I believe there was an exploit released for dameware, but
I'm unaware of it's behavior.  A colleague first noticed these across
multiple class C networks scanning consecutive IPs, and we have been
seeing the same type of activity.

The interesting part about the scans is that they almost universally
have a source port of 220, which to me indicates either worm activity or
a canned scanner/exploit combo with a hard-coded source-port.

Anyone else seeing an increase in these?

**************************************************************************************************
The contents of this email and any attachments are confidential.
It is intended for the named recipient(s) only.
If you have received this email in error please notify the system manager or  the 
sender immediately and do not disclose the contents to anyone or make copies.

** this message has been scanned for viruses, vandals and malicious content **
**************************************************************************************************


---------------------------------------------------------------------------
----------------------------------------------------------------------------