print server comprimise?

[T Shawn Knisely <t_shawn () sbcglobal net>]

Fairly new to security field.

Ran across this by accident while researching an unrelated issue on our 
network. I ran nmap against an IP address to see if it was the SQL 
server I was looking for. Here is the output of the nmap scan. What I 
want to know is this; (yes I googled first with no results) Is it 
possible to compromise a print server? I was able to ftp to the device, 
with no password required. Among the oddities is that it seems to have 
nmap on the print server?

This is the list of commands available:
   230 User Name Accepted.
ftp> help
Commands may be abbreviated.  Commands are:

!               features        mls             proxy           size
$               fget            mlsd            put             sndbuf
account         form            mlst            pwd             status
append          ftp             mode            quit            struct
ascii           gate            modtime         quote           sunique
bell            get             more            rate            system
binary          glob            mput            rcvbuf          tenex
bye             hash            msend           recv            throttle
case            help            newer           reget           trace
cd              idle            nlist           remopts         type
cdup            image           nmap            rename          umask
chmod           lcd             ntrans          reset           unset
close           less            open            restart         usage
cr              lpage           page            rhelp           user
debug           lpwd            passive         rmdir           verbose
delete          ls              pdir            rstatus         xferbuf
dir             macdef          pls             runique         ?
disconnect      mdelete         pmlsd           send
edit            mdir            preserve        sendport
epsv4           mget            progress        set
exit            mkdir           prompt          site


Here is the nmap output.

Starting nmap 3.30 ( http://www.insecure.org/nmap/ ) at 2004-07-16 13:56 EDT
Host 10.x.x.x appears to be up ... good.
Initiating SYN Stealth Scan against 10.x.x.x at 13:56
Adding open port 139/tcp
Adding open port 515/tcp
Adding open port 23/tcp
Adding open port 2501/tcp
Adding open port 21/tcp
Adding open port 3001/tcp
Adding open port 80/tcp
The SYN Stealth Scan took 2 seconds to scan 1644 ports.
For OSScan assuming that port 21 is open and port 1 is closed and 
neither are firewalled
Interesting ports on 10.x.x.x:
(The 1637 ports scanned but not shown below are in state: closed)
Port       State       Service
21/tcp     open        ftp
23/tcp     open        telnet
80/tcp     open        http
139/tcp    open        netbios-ssn
515/tcp    open        printer
2501/tcp   open        rtsclient
3001/tcp   open        nessusd
Device type: print server
Running: Intel embedded
OS details: Intel InBusiness Print Station
OS Fingerprint:
(None)
TCP Sequence Prediction: Class=64K rule
                        Difficulty=1 (Trivial joke)
TCP ISN Seq. Numbers: 465000 474A00 484400 493E00 4A3800 4B3200
IPID Sequence Generation: Incremental


Ideas?

Thanks in advance,

T Shawn

---------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off 
any course! All of our class sizes are guaranteed to be 10 students or less 
to facilitate one-on-one interaction with one of our expert instructors. 
Attend a course taught by an expert instructor with years of in-the-field 
pen testing experience in our state of the art hacking lab. Master the skills 
of an Ethical Hacker to better assess the security of your organization. 
Visit us at: 
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
----------------------------------------------------------------------------