This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can someone please help me! Approximately 3-5 times a day I have an APC Smart UPS that is sending 3-4 email notifications (at the same time) that an unauthorized user trying to connect over SNMP. Each time this happens the source IP is different. The source is always coming from an end user machine.

It has been happening for a couple weeks and we are testing out PRTG for log management but we turned the server off that was running that software for a couple days and still got the notification.

Please see below to see what Wireshark is showing me. I have tried some things but with no success. Any direction would be greatly appreciated!

Thank you!

alt text

asked 26 Oct '17, 13:10

Zick's gravatar image

Zick
6112
accept rate: 0%

It is not easy to analyse a picture, but some printer drivers do this, and I could imagine some malware doing the same to find out what systems reachable via LAN could be vulnerable (OID 1.3.6.1.2.1.1.1.0 is system description which should include software version). Bear in mind that the APC box is not a specific target of the request, it is just the only one which complains. All machines in the network with SNMP agent enabled may answer these SNMP get requests and some probably do. The question is what happens next if some machine responds - if the requests come from a printer driver, further communication is with the printer's individual address; if they come from malware, it may then use other protocols to attack some of the individual addresses depending on the contents of the SNMP answers (i.e. if it has penetration strategies for particular system types and versions).

(26 Oct '17, 13:45) sindy

Thank you for the reply Sindy. I see what you are saying about the APC and agree about the printer drivers (I've seen a lot of information on the web pointing towards them as a potential issue). And I did have a Zebra printer (That is currently unplugged) that was sending at the same time as these other notifications. The difference being these IPs are end points and the printer IP was listed (and thus easy to isolate).

I will have to get into my AV management and make sure no alerts are going off at the same time this traffic is happening.

Is there additional information I can post that would be helpful to troubleshoot this? I have done a lot of searching on the OIDs listed but I really haven't found much that I think is useful.

Thanks again!

(26 Oct '17, 13:51) Zick

The fact that you switch off a printer doesn't make that printer's drivers installed on user machines from trying to find it on the LAN. Unfortunately, no protocol field in the SNMP get identifies the source application, but you can check that the printer driver is installed on all the machines whose IPs send these gets and if yes, uninstall it from one of them and see whether that machine stops sending the gets or not.

One hint could be the exact value of x in OID 1.3.6.1.4.1.x - the x is an enterprise ID (e.g. 11 is Hewlett-Packard but I assume other digits follow - provide capture files rather than screenshots if you want better analyses) so it should help you identify the printer vendor if the gets come from printer drivers.

No better idea. google search for snmp malware didn't yield anything useful except the fact that I wasn't the first one to search for that phrase.

(26 Oct '17, 14:12) sindy

Sorry for that Zebra printer I meant the Wireshark showed the SNMP coming from the printer itself (it was improperly configured).

Thanks for the suggestion on the printer driver (and the HP printer OID digit). The person who set these users up installed the printer locally for each user rather than using a print server so with these notifications coming from several different computers rather infrequently... that is going to be a fun day!

Thanks again for the help.

(26 Oct '17, 14:19) Zick

well, is it really 11 in your case? If you click the packet in the packet list, you should be able to drill down to the full OID in the packet dissection pane (the middle one). Then, http://www.oid-info.com/get/1.3.6.1.4.1.x should tell you (after replacing the x with the proper number) what the vendor is.

(26 Oct '17, 14:32) sindy

So there are a couple OIDs per 'instance' of this happening. There is an "11" in some instances, but others have many "variable-bindings" so I will need to look into this more for sure. I didn't realize I could directly input into oid-info.com so now I can dig in.

The information it gave me for 1.3.6.1.4.1.11.2.14.11.1.3.1.1.12 was: Vendor: Hewlett-Packard Module: HP-ICF-DOWNLOAD

Thanks Sindy the investigation continues!

(26 Oct '17, 14:41) Zick
showing 5 of 6 show 1 more comments
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×43
×12

question asked: 26 Oct '17, 13:10

question was seen: 411 times

last updated: 26 Oct '17, 14:41

p​o​w​e​r​e​d by O​S​Q​A