Unathorized SNMP Alerts

Anonymous user · ‎2021-06-29

For the last 2 or 3 weeks, I have several UPSs at various locations that are getting bombarded with SNMP requests from various user workstations. I can't find any commonality with them, some are windows 7 and others are Windows 10. The messages seem to be showing up when people turn on or restart their computers.

We've performed malware and anti-virus scans on everything and all comes back clean. Has anybody seen anything like this or have any ideas? I'm tired of my email blowing up with these alerts.

jccarr_apc · ‎2021-06-29

Sorry to necro an old thread but I also experienced this. It was the Konica Minolta Device Agent on a Windows server performing SNMP probes. Stopped and disabled the service.

See Answer In Context

BillP · ‎2021-06-29

Hi Ryan,

Are you actually using SNMP with the Network Management Cards installed in the UPS (these are what send the alerts)? If not, we can disable SNMP completely.

SNMPv1 is enabled by default and SNMPv3 can also be enabled. Which one are you using? (Side note: Only in AOS v6.4.6 and higher did we start logging this for SNMPv3 attempts. Prior to that, only v1 attempts were logged.)

In general, it would seem like there is some sort of SNMP Agent on the user's computer's potentially assuming the IP address doing the attempt is logged in the message and you've pinpointed it to user's machines. We can look at changing the SNMP credentials and access control on the UPSs (specifically the network management card) or may have to dig further on the user's machines to see what is installed there.

I have never seen this be the cause of the Network Management Card besides some incorrect credentials or settings.

Anonymous user · ‎2021-06-29

I'm having the same problem and not finding any solutions online. Random computers and servers in the network seem to be trying to access the UPS GUI. Below is the email alert I get.

Name :

Location : F

Contact : J

http://

http:// (Local) http://

Serial Number : 5A1xxxxxxxxx

Device Serial Number : AS1xxxxxxxxx

Date : 10/26/2017

Time : 07:17:15

Code : 0x0004

Informational - Detected an unauthorized user attempting to access the SNMP interface from X.X.X.X

Please let us know what to do about these alerts. Other department heads get these reports to let them know when we lose power, and these reports are causing panic.

Thank you,

Jason

BillP · ‎2021-06-29

Hi Jason - are you using SNMP for monitoring? If you're not using it for monitoring, then you can completely disable both the SNMPv1 and SNMPv3 interfaces on the Network Management Card in the UPS. SNMPv1 is enabled by default.

If you're using SNMP monitoring, then you can at least evaluate what the SNMP access controls are set to now and see if you can adjust them accordingly.

Depending on the situation too, you can also consider specifically disabling these specific events for notifications from email. This of course wouldn't address the root of the problem and you'll still see these messages from the event log (but we usually don't recommend disabling from the event log itself but it can be done).

I am not sure what would work best for either of you. Instructions on the above options depend on which firmware version(s) you may have. If you can share those, then we can try to provide you some guidance on changing the settings if you need it.

Anonymous user · ‎2021-06-29

I can try that, but I'm wondering what changed to make this reporting go haywire all of a sudden?

BillP · ‎2021-06-29

Hi Jason - Did you recently upgrade the network management card firmware by chance? If you are using SNMPv3, I can say that these messages would've only started being logged as of v6.4.6 AOS (APC Operating System). So, previously they may have gone unnoticed or there was no visibility into them. This would only be a possible cause if using SNMPv3 specifically and you have v6.4.6.

BillP · ‎2021-06-29

I came across this post while I was researching a problem that I am having and I am hoping someone can help.

About 3 weeks ago I started to receive the following e-mails from my Smart1500 USP;
“Detected an unauthorized user attempting to access the SNMP interface from 192.168.xxx.xx”.
We are using SNMP for monitoring and only SNMPv1 is enabled, also the community on the UPS and workstations match. I receive the e-mails 3 times a week. Each attempt comes from one of 3 different workstations on our network. According to the e-mails each workstation attempts the access once each week on the same day, one on Friday, one on Saturday and one on Tuesday. The only thing these workstations have in common is that they are all running Windows 7. One of the workstations is a new computer right out of the box. After I started to receive the e-mails I contacted APC support team a couple of times, in doing so we have confirmed that SNMP is configured correctly on the UPS, we have upgraded the firmware on the UPS in hopes that the e-mails would stop and they showed me how to disable the e-mails. However, I still do not know what is causing the issue. The UPS has been in service for years and with the exception of the one workstation the other two computer have been up and running now for 1 to 2 years. I have run multiple virus scans on the computers and they always come up clean. APC support stated that they cannot help with the workstations. Can someone please give me an idea as to what could be running on these workstations that would cause this problem?

BillP · ‎2021-06-29

If they always happen on the same PCs at a certain time of the day, I was thinking can you rig up a packet capture with Wireshark or similar tool to see if you can capture the requests happening over the network? I am not sure if it happens in the middle of the night or what.

It is really hard to answer this without seeing what is installed specifically. You could evaluate what services and processes are running on the PC at the time and research if any of them support SNMP polling.

Do these tools run any network penetration or scanning software which may scan a certain network or subnet periodically? Or any SNMP MIB browsers perhaps? (I use MIB browsers to test certain OIDs and I wouldn't expect them to scan devices unless I specify a certain IP). Those may be something obvious you already checked but I don't know if a host intrusion detection program too, which often comes as part of a virus scanner package may be the culprit.

Other than that I am not aware of any common culprits of this we've found with other customers or anything unfortunately.

cs_support_apc · ‎2021-06-29

Replying to this old thread so others can reference...

I had this issue and discovered it was the Canon network scanning selector utility for my home printer that was the culprit.

I suspect other manufacturer's utilities for network printer or scanner discovery may cause the same effect.

jccarr_apc · ‎2021-06-29

Sorry to necro an old thread but I also experienced this. It was the Konica Minolta Device Agent on a Windows server performing SNMP probes. Stopped and disabled the service.