Security Incidents mailing list archives
RE: Printer exploit?
From: "John Hanks" <jbh () biology usu edu>
Date: Tue, 26 Jun 2001 19:56:25 -0600
We have seen this on our campus. It corresponds well to portscans on port 515, when we get scanned we get the printouts with a page with some text (which I don't have handy, sorry) followed by lots of pages with "U" and "1" on them. My guess at this point is that people are probing for an exploitable LPD and a side effect is that some HP printers start coughing up garbage. It could be a DOS attack against printers, but it always coincides with someone doing a portscan of port 515 on our network so I think it is a side effect. We blocked port 515 at the firewall and saw a big drop in outgoing traffic, so my other guess is that we were maybe being used in DOS attacks by whatever this exploits. Unfortunately I don't have a packet trace of the attack, just a bunch of snort portscan.log entries and since we blocked 515, I won't be able to collect any packets. jbh -----Original Message----- From: Brendan Murphy [mailto:bmurphy () carbon cudenver edu] Sent: Tuesday, June 26, 2001 2:32 PM To: incidents () securityfocus com Subject: Printer exploit? Hi all- More than a few of our networked HP Laserjet printers have been sporadically printing out entire trays of paper that have a '1', 'u', 'i' in the upper right hand corner of the page, -or- a string of text along the top of the page. The jobs don't appear on the queue. This problem was noticed very rarely beginning a couple of months ago, but has increased in frequency over the last two evenings. ...and it usually only occurs during the evening...but has occured during the day. Again, it usually goes through the entire tray of paper unless the printer is shutdown. Has anyone heard of any exploits to LaserJet printers, or printers in general that might cause this problem? We've been through the gambit with HP and nothing seems to match... Some facts, just in case: - Printers are using JetDirect cards over TCP/IP - Some users connected through print server, others directly. - Printers are NOT the same model I am going to sniff out the traffic this evening to see if I can find anything...but thought I might be able to get a head start in the event that any of you had heard of an exploit that might be causing this one.... Regards, Brendan Murphy Network, Video, and DSL Services University of Colorado-Denver Computing, Information & Network Services (CINS) ~~~ "Obstacles are only things people see when they take their eyes off their goals." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Printer exploit? Brendan Murphy (Jun 26)
- Re: Printer exploit? Tohru Watanabe (Jun 27)
- Re: Printer exploit? Piotr Klaban (Jun 27)
- Re: Printer exploit? sarnold (Jun 27)
- Re: Printer exploit? Thomas Corriher (Jun 28)
- Re: Printer exploit? John Leach (Jun 28)
- Re: Printer exploit? Vangelis Haniotakis (Jun 28)
- Re: Printer exploit? HyunWoo Lee (Jun 29)
- RE: Printer exploit? Rocket Downing (Jun 28)
- Re: Printer exploit? Vangelis Haniotakis (Jun 28)
- <Possible follow-ups>
- Re: Printer exploit? lifeonmars (Jun 27)
- RE: Printer exploit? John Hanks (Jun 27)
- RE: Printer exploit? Richard . Grant (Jun 27)
- Re: Printer exploit? Piotr Klaban (Jun 28)
- Re: Printer exploit? Jeremy Sanders (Jun 29)