For the last 2 or 3 weeks, I have several UPSs at various locations that are getting bombarded with SNMP requests from various user workstations. I can't find any commonality with them, some are windows 7 and others are Windows 10. The messages seem to be showing up when people turn on or restart their computers.
We've performed malware and anti-virus scans on everything and all comes back clean. Has anybody seen anything like this or have any ideas? I'm tired of my email blowing up with these alerts.
Are you actually using SNMP with the Network Management Cards installed in the UPS (these are what send the alerts)? If not, we can disable SNMP completely.
SNMPv1 is enabled by default and SNMPv3 can also be enabled. Which one are you using? (Side note: Only in AOS v6.4.6 and higher did we start logging this for SNMPv3 attempts. Prior to that, only v1 attempts were logged.)
In general, it would seem like there is some sort of SNMP Agent on the user's computer's potentially assuming the IP address doing the attempt is logged in the message and you've pinpointed it to user's machines. We can look at changing the SNMP credentials and access control on the UPSs (specifically the network management card) or may have to dig further on the user's machines to see what is installed there.
I have never seen this be the cause of the Network Management Card besides some incorrect credentials or settings.
I'm having the same problem and not finding any solutions online. Random computers and servers in the network seem to be trying to access the UPS GUI. Below is the email alert I get.
Location : F
Contact : J
http:// (Local) http://
Serial Number : 5A1xxxxxxxxx
Device Serial Number : AS1xxxxxxxxx
Date : 10/26/2017
Time : 07:17:15
Code : 0x0004
Informational - Detected an unauthorized user attempting to access the SNMP interface from X.X.X.X
Please let us know what to do about these alerts. Other department heads get these reports to let them know when we lose power, and these reports are causing panic.
Hi Jason - are you using SNMP for monitoring? If you're not using it for monitoring, then you can completely disable both the SNMPv1 and SNMPv3 interfaces on the Network Management Card in the UPS. SNMPv1 is enabled by default.
If you're using SNMP monitoring, then you can at least evaluate what the SNMP access controls are set to now and see if you can adjust them accordingly.
Depending on the situation too, you can also consider specifically disabling these specific events for notifications from email. This of course wouldn't address the root of the problem and you'll still see these messages from the event log (but we usually don't recommend disabling from the event log itself but it can be done).
I am not sure what would work best for either of you. Instructions on the above options depend on which firmware version(s) you may have. If you can share those, then we can try to provide you some guidance on changing the settings if you need it.
I can try that, but I'm wondering what changed to make this reporting go haywire all of a sudden?
Hi Jason - Did you recently upgrade the network management card firmware by chance? If you are using SNMPv3, I can say that these messages would've only started being logged as of v6.4.6 AOS (APC Operating System). So, previously they may have gone unnoticed or there was no visibility into them. This would only be a possible cause if using SNMPv3 specifically and you have v6.4.6.
If they always happen on the same PCs at a certain time of the day, I was thinking can you rig up a packet capture with Wireshark or similar tool to see if you can capture the requests happening over the network? I am not sure if it happens in the middle of the night or what.
It is really hard to answer this without seeing what is installed specifically. You could evaluate what services and processes are running on the PC at the time and research if any of them support SNMP polling.
Do these tools run any network penetration or scanning software which may scan a certain network or subnet periodically? Or any SNMP MIB browsers perhaps? (I use MIB browsers to test certain OIDs and I wouldn't expect them to scan devices unless I specify a certain IP). Those may be something obvious you already checked but I don't know if a host intrusion detection program too, which often comes as part of a virus scanner package may be the culprit.
Other than that I am not aware of any common culprits of this we've found with other customers or anything unfortunately.
Replying to this old thread so others can reference...
I had this issue and discovered it was the Canon network scanning selector utility for my home printer that was the culprit.
I suspect other manufacturer's utilities for network printer or scanner discovery may cause the same effect.
Sorry to necro an old thread but I also experienced this. It was the Konica Minolta Device Agent on a Windows server performing SNMP probes. Stopped and disabled the service.
Choose a location