Detected an unauthorized user attempting to access the SNMP interface

BillP · ‎2021-06-29

I have a Smart-UPS 2200 which is sending me email notifications about an unauthorized user attempting to access the SNMP interface. Over the past 12 hours 6199 such emails. Now I have SNMP Trap receivers configured, and the IP address in question is NOT one of those. I have two configured. I am getting this error from my Domain Controller which does NOT have SNMP installed and configured. Under the DC service settings SNMP Trap is disabled and set to manual. Under Roles, it is not installed. I have tried Reset/Reboot Reboot Management Interface, with no success errors still being sent. I have currently Disabled the email notifications but the logs continue to grow. Any help would be appreciated Thank you! The settings for the UPS under Admin - General - About:

Hardware Factory

Model Number:	AP9630
Serial Number:	ZA1227004500
Hardware Revision:	05
Manufacture Date:	06/25/2012
MAC Address:	00 C0 B7 96 17 18
Management Uptime:	0 Days 0 Hours 39 Minutes

Application Module

Name:	sumx
Version:	v5.1.7
Date:	Dec 1 2011
Time:	13:01:45

APC OS (AOS)

Name:	aos
Version:	v5.1.7
Date:	Nov 22 2011
Time:	09:53:57

APC Boot Monitor

Name:	bootmon
Version:	v1.0.2
Date:	Jan 21 2010
Time:	13:35:57

BillP · ‎2021-06-29

Just to share what the issue ended up being, to maybe help others. The DC spoolsv.exe was the issue. The ip of the UPS was in the range of printers the DC searches for. Even though no printer was set up on the IP the DC was still trying to find one. Thank you Angela for your assistance!

See Answer In Context

BillP · ‎2021-06-29

Hi Adam,

Your firmware is a little old as we are several revisions ahead and on to v6.X.X which is a major upgrade from the 5.1.7 you are running. I do not think it is related to the problem but I did want to mention it in case you weren't aware.

With what I know, I also believe that there is something coming from your domain controller that is triggering this and it is not an issue the card is generating the alarms erroneously. There is likely is something trying to do SNMP polling or SNMP something over ports 161/162 versus anything to do with SNMP traps (alerts) which you already checked. Is there potentially some type of SNMP scanner software installed, as opposed to a service running on Windows? Or perhaps any type of penetration scanner like Nessus, Retina, etc that runs on an entire network or subnet that could be probing the IP address of the NMC?

I can tell you at least with this firmware, we know it is SNMPv1 since in this older firmware, SNMPv3 does not trigger these messages (which we fixed that in newer firmware).

Lastly, SNMPv1 is enabled by default. You could check your SNMP settings under Administration->Network menu and adjust the community names and NMS/IP hostname fields to try and filter out any requests outside of the SNMP systems you do actively use. Do you use SNMP polling or just traps/alerts? You could potentially disable some of the SNMP settings as well to just allow SNMP traps.

BillP · ‎2021-06-29

Thank you for trying to help me fix this! I have done the firmware update, and as soon as I activate SNMPv1 with the two severs which have SNMP .30 and .159 I get the error back from the DC which is .96 not on the list for SNMP at all. If I change it from SNMPv1 to the v3 I no longer get the error. I have double checked the DC .96 for any and all SNMP setting all are off.

BillP · ‎2021-06-29

I have even added the .96 address into the allow config as read and am still getting the detection

BillP · ‎2021-06-29

So I have gone back to the DC the SNMP was set to manual, I have completely set it to disable, still have the error. Attached is the .tar file. Any and all help is greatly appreciated. Other than providing the unit with the IP I have no clue what else would be trying to communicate with it from the DC.

BillP · ‎2021-06-29

As of this morning, I added a rule on the DC to block port 161, and now I no longer receive the unauthorised attempt log. However, I still cannot figure out why this worked, or what was looking on port 161.

BillP · ‎2021-06-29

Hi Adam - I see in your config.ini that there are IPs set up in the SNMP polling configuration - some 192.168.X.X IPs - do you know what these are? I ask because what I was suggesting would probably not work if you were actively using those because you have to leave those configs enabled to let those devices do SNMP polling.

Anyway, yes, it seems to prove that there is something on your DC that is sending out the requests. Do you have other NMCs on the same network that did NOT show the alarm? Just curious if you could see if there was a security scanner or tool hitting everything on your network trying to do SNMP requests. We have customers that run tools like I mentioned previously that do penetration or intrusion detection type stuff.

If it were me, I would just comb through all running services/programs and see what is there. If you have done all of that, it just seems like there is something that is not obvious or that maybe could be running under another user or something weird like that?

BillP · ‎2021-06-29

Yes the two 192.168.X.X I know what those are, Spiceworks and Librenms. I ran a packet tracker on the DC which is how I found port 161 was being used to the unit. After blocking the port the issue is gone. Now I need to figure out what was causing the DC to look to the unit through port 161. At this time I believe the issue is on the DC side not the UPS side. A fun note I was just told about today, my boss changed the UPS IP address before this issue started. Not sure how or why that would matter but fun cause.

BillP · ‎2021-06-29

Just to share what the issue ended up being, to maybe help others. The DC spoolsv.exe was the issue. The ip of the UPS was in the range of printers the DC searches for. Even though no printer was set up on the IP the DC was still trying to find one. Thank you Angela for your assistance!

BillP · ‎2021-06-29

Hi Adam - thanks for the update and letting me/us know what you found. Have a great weekend!