Hacker News new | comments | ask | show | jobs | submit login
Printers are spontaneously printing odd "SQL" strings (apple.com)
398 points by jpswade on Aug 21, 2012 | hide | past | web | favorite | 142 comments

I'm waiting for the great network printer security apocalypse. A bunch of these things are in a great position to turn around and launch attacks on the "chewy on the inside" networks of so many companies. Maybe this has already happened.

My printer has a dumb little print server running an embedded flavor of Linux and a publicly known hard-coded (!) root password. While mine is going to the slag heap sooner or later for that and several other fundamental problems, you can guess that many many more of them are out there just waiting to be taken for a ride.

These dumb little boxes may be underpowered, but once you get inside and set them up to forward packets for you, their raw CPU speed becomes less of an issue. You can run all of the fun attacks from a "real" machine and just let it bounce you to the inside world.

Hypothetically speaking, of course.

I was going to submit those. Thanks!

My very first criminal act of hacking as a teenager was gaining access to a printer somewhere in Spain, by which I had limited access to the rest of the network but I was too dumb to understand what to do.

So yeah, printers at least were a big gaping hole in the late 90s and early 00s.

Many, perhaps most network-connected printers, NAS units, and other devices (e.g., home-automation hardware) simply assume that the local network they connect to will be securely protected from external attack, so they're not configured to withstand even the simplest of attacks.

This is exactly the opposite of what many security experts recommend: ideally all devices should be secure regardless of whether the network they're on is secure or not. With more and more devices offering remote-Internet-access functionality every day, this principle of security is becoming ever more fundamental.

Bruce Schneier's personal WiFi network at home is fully open, because -- in his own words: "If I configure my computer to be secure regardless of the network it's on, then it simply doesn't matter. And if my computer isn't secure on a public network, securing my own network isn't going to reduce my risk very much."[1]

Like rachelbythebay, I'm also waiting for the great network printer security apocalypse.[2]


[1] http://www.schneier.com/blog/archives/2008/01/my_open_wirele...

[2] http://news.ycombinator.com/item?id=4412522


UPDATE: Just for the heck of it, I ran a fairly fast scan (nmap -T4 -A -v -PE [IP address]) on an HP all-in-one printer accessible over my LAN, and there were a LOT of open ports -- see pasted results below. I then pointed my browser to port 9100 on the printer, which instantly printed the HTTP headers without complaint. The printer's configuration page reports that it is "secured" by an administrative password.

  80/tcp   open  http         HP PhotoSmart/Deskjet printer http config (Virata embedded httpd 6_0_1)
  139/tcp  open  netbios-ssn?
  6839/tcp open  tcpwrapped
  7435/tcp open  tcpwrapped
  8089/tcp open  tcpwrapped
  9100/tcp open  jetdirect?
  9101/tcp open  jetdirect?
  9102/tcp open  jetdirect?
  9110/tcp open  unknown
  9220/tcp open  hp-gsg       HP Generic Scan Gateway 1.0
  9290/tcp open  hp-gsg       IEEE 1284.4 scan peripheral gateway
  9500/tcp open  unknown

Rerun with "-sV --allports"

   --allports (Don't exclude any ports from version detection) .
       By default, Nmap version detection skips TCP port 9100 because some
       printers simply print anything sent to that port, leading to dozens
       of pages of HTTP GET requests, binary SSL session requests, etc.
       This behavior can be changed by modifying or removing the Exclude
       directive in nmap-service-probes, or you can specify --allports to
       scan all ports regardless of any Exclude directive.
PS I think the "-A" and "-T4" is redendant. I think aggressive mode sets the timing to 4 among other things.

dfc: running nmap with "--allports" could make the printer waste a lot of paper, so I won't do it. (FWIW, by pointing my browser to the jetdirect port, I was able to control the timing of the http request with more precision and cancel printing immediately after the first page came out.)

PS. No, I was not trying to replicate what happened -- just trying to get a quick sense of how many ports are open. Sorry for the misunderstanding.

Did you read what I posted? The man page excerpt that I included specifically mentions weird printer behavior.

When you posted the nmap scan report I thought you were trying to replicate what had happened. Otherwise its not really news that print devices have a lot of ports open.

In order to not waste paper you can just have one or two sheets in the tray...

Unfortunately, trying to secure your hardware is a lesson in frustration and ruins the whole experience.

This is because every device acts confused, hangs or produces cryptic errors when facing denied access; restricted resources prevent you from understanding why the access was denied and how to open it; changes in network topology lead to problems that only stumbled over much later; and it's extremelly hostile on guests who spend half a hour trying to configure.

It's untractable.

Most of user crypto has same set of problems btw.

A friend of mine over here recently discovered that a certain printer manufacturer (very big one) had a complete SNMP service that runs on all the printers - they aren't protected and you can run any command on it. You can even tell the printer to download, load, and reboot with custom firmware. Amongst many other yucky things.

This sounds somewhat similar.

Which printer manufacturer?

Especially with the development of IPv6, internal routing becomes transparent and the appearance of protection offered by NAT is gone. Possibly these printers all have been assigned a public-reachable IPv6 addresses.

It isn't an "appearance" of protection. NAT is the best thing to happen to security for home networks since their inception. The push to remove it with IPv6 and to force home users who don't care about these things to put their entire home network directly on the Internet is going to wreak havoc.

The security comes from the stateful firewall, not from the NAT. In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.

The stateful firewall is there because it is necessary for NAT. If it weren't necessary for NAT, consumers would not bother with it. Customers buy the router with the firewall to hook up multiple computers, they don't care about the security. You could argue that they should hire a security consultant to educate them on the need for a stateful firewall when setting up their home network, but you would be smoking crack.

In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.

> In all likelihood, IPv6-supporting home routers will ship with a stateful firewall enabled by default.

My thinking is router manufacturers will probably not do this. Because if you don't have a firewall and expose all your computers to the Internet via IPv6, Everything Just Works (assuming the rest of the world uses IPv6, which will be a close approximation to the truth in the future world we're talking about). Which means those insecure routers will have a better user experience for the vast majority people in the market, who don't have a clue about networking and would rather gouge their eyes out than learn about it.

Routers currently don't do this for IPv4 for a good and simple reason: When you're assigned a single public IP by your ISP, there's no way to automagically tell which host is supposed to receive an inbound connection.

The "good" news (from a security standpoint) is that the most clueless will probably be using IPv4 for a long time to come, helped along in their foot-dragging by the eventual release of IPv4 space by early adopters of IPv6-only.

I don't think so - putting "WITH FIREWALL" and "SHIELDS YOU FROM EVIL" will cost manufacturers maybe a few cents and is almost guaranteed to boost sales.

And for services running behind that router there'll probably be some kind of PNP port opening (so there can be "PLAY WITH FRIENDS EASILY" next to those other stickers)

You can't be seriously claiming that someone is port scanning my /48 that I've had since the early 00s? Over a typical slow internet connection that would take rather a long time to find my printer. Lets say you slammed my couple megabit cablemodem with a million address probes per second (yes I'm well aware thats impossibly high). It would only take you 38 billion years of continuous scanning to find my printer. I'll even give you credit that most people are using just a couple (obvious) /64 inside their /48. Assuming my math is correct it would take a mere half a million years per /64, so figure a couple million years and you'll own my home lan...

As soon as some random website's PHP script publishes your IPv6 address, there goes your security.

Assuming your IP address will remain secret seems naive.

Also, this assumes your IP address within your /48 is randomly chosen. Common user choices (or router implementations) might not default to random choices, or the randomness might not actually be very random.

... for example if the IPv6 address is autoconfed from the MAC address, then you can exploit the structure of the MAC address to target a much smaller range of address suffixes, specific to the manufacturer of your target device(s).

it's worth noting, I think, that Schneier is pretty out of touch when it comes to the whole "open wireless" thing, because he leaves himself open to a bunch of local-only attacks. he's correct that your computer should be able to withstand being on the 'open' internet, since it is every time you take it to work or a coffee shop or something, but, don't be an idiot, just turn WPA2 on at your house.

many access points (I think) now provide a feature where they can run multiple SSIDs. so if you're savvy, you can turn on a guest-only open wifi for when you have visitors, and turn it off when they leave. kind of like a guest key for your spare room!

    he leaves himself open to a bunch of local-only attacks
What kind of attacks might those be?

Consider the case of a computer connected to the network with no open ports (other than say, 25 for SSH), with a properly configured firewall, that connects to the Internet through a VPN and with an operating system that auto-updates itself.

What could you do to it from inside the network?

I secure mine mostly so that a neighbor won't download torrents on my connection and thus negatively impact my experience. I imagine in an actual house it's not as necessary, but I live in a zone of large buildings and usually see 20+ networks visible.

Well, if his Internet connection is open, then he's open to being prosecuted for what other people might download on it.

As a celebrity, he probably has some substantial de facto immunity against this. (One blog post, and "the Internet" will show up on his side.) The rest of us... not so much.

Actually with an open wifi you're more protected agaist such instances because it's concrete proof that your IP was shared by other people, considering how ISVs assign these IPs dynamically and that their logs may not be accurate.

Only in the case the local law doesn't hold you responsible for not having protected your network in the first place.

[Edit] This is the case in Germany. http://ratgeber-recht.welt.de/offene-wlan-hotspots-sind-zula... You may have your own hotspot but you may be liable for misuses.

And in civil lawsuits, you can spend several thousand dollars in legal fees more or less effectively making your point.

Also, it's increasingly apparent that other jurisdictions will increasingly attempt -- or be used -- to ensnare people in more... "permissive" jurisdictions. Don't like the venue? Sue -- or prosecute -- them in another venue.

On the one hand, I feel sad that my response to this is to "close up" connectivity. On the other hand, I for one don't have the resources with which to liberally take such situations on.

Have you checked this line of reasoning with an actual lawyer?


That assumes that his network allows anyone to connect to the internet from it, which is not implied here. Open wifi usually lets anyone who hops on the network talk to the world, but I'd bet someone like Schneier is more sophisticated about that sort of thing.

BTW port 25 is not SSH, it's SMTP. SSH is port 22.

Putting SSH on the open internet with port 22 means it'll be readily identified when people scan. Then they might well try to use dictionary attacks etc. - I'd advise against it simply to stop the log files filling up.

If you're putting sshd on its standard port available to the Internet, why are you allowing password-based auth?

OpenBSD's second remotely-exploitable hole relied on being on the same network segment (AIUI from a quick read it involved sending malformed IPv6 packets). Such vulnerabilities aren't particularly common, but you're always going to be exposing a somewhat wider attack surface to the local network than to the internet at large.

man-in-the middle the windows update channel (see: flame)

man-in-the-middle the VPN

man-in-the-middle administration of the router / wireless access point, which frequently is done without ssl

dhcp exploits, too, both against clients and any existing server.

If they're decent, the guest ID/config can have its own password. Approved guests get wireless without having to put it up and take it down. Unapproved "guests" remain unapproved.

It's not 1994, no one "points" a browser at anything any more.

Look for the good in that post, don't nitpick the phrasing that was chosen.

Thank you for being nice and not resorting to snark against the original snark.

That said, I tell people to point their browser all the time but maybe that's because I've been using browsers since 1994. :)

The good in the post is obvious, someone has to stand up for taking out the bad parts too.

Your stand is fairly unwarranted though. People know what "pointing your browser" means in this context as it is still a commonly used turn of phrase, even though it may date back into the long forgotten antiquity of almost 20 years ago.

> "[...] we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet. All it takes is for somebody to put the appropriate GET request in [...]"

> "Both of our printers have public IP addresses"

It looks like the printer are publicly accessible, and some automated tool (nmap?) is just scanning them for vulnerabilities, open ports, or similar. Not too surprising really.

The printed page even says NMap on it. nmapol=tlitcp is Transport Layer Interface and TCP. I'm not positive, but NMap OL could be NMap openvas-library, which is a vulnerability scanner. Sounds to me like someone scanning with NMap over TLI and TCP and it's hitting these printers.

Don't expose your printers to the web without a strict firewall or VPN/reverse proxy!

When nmap scans port 9100 it doesn't send anything (at least as of nmap 6.00 using -sV). It is probably a higher level vulnerability scanner, possibly metasploit, using nmap to discover open ports and then probe deeper on its own.

Nmap avoids sending to 9100 specifically to avoid sending data that the printer may misinterpret as data to be written to a page. You need to give it the --allports option.

   --allports (Don't exclude any ports from version detection) .
       By default, Nmap version detection skips TCP port 9100 because some
       printers simply print anything sent to that port, leading to dozens
       of pages of HTTP GET requests, binary SSL session requests, etc.
       This behavior can be changed by modifying or removing the Exclude
       directive in nmap-service-probes, or you can specify --allports to
       scan all ports regardless of any Exclude directive.


That would definitely not be a stealthy scan :)

It is not surprising that printers just accept (possibly malformed) requests just from anywhere?

If I remember the presentation I saw on this, some don't even verify firmware updates.



Not if the owners don't password protect anything. Without a valid login it shouldn't print anything, unless that login were exploited, but I don't see any mention of a password being bypassed.

Agreed, I've seen this before as well. I doubt it really has anything to do with Apple and likely the HP printer server software instead - being directly related to an nmap scan.

After playing around with it. I think that what is causing this to happen is that the JetDirect port on the printer (usually 9100) is getting written to by a port scanner. This will cause a printer using JetDirect to print out whatever gets sent to it on that port. Try it yourself if you have a printer that implements it. For me it was a Brother HD-5370DW.

1. telnet <printer> 9100

2. Type a hello world message.

3. Close the connection

4. The printer will print out whatever you typed. At least it did for me.

Wow, this works on my HP printer. That would explain the reams of pages I get that look like this:

GET http://www.baidu.com/ HTTP/1.1

Host: www.baidu.com

Accept: /

Pragma: no-cache


I sometimes get the same ones at work! It's the crawler from the Baidu-search-engine checking if the printer is a web-server.

I contacted ITS about it (obviously, you shouldn't be able to print from outside the university) but they haven't really given it any work. It surely is a security hole, and a minor waste of ink & paper.

Actually, it's somebody searching for an open proxy, note the inclusion of http and hostname in the GET. The baidu crawler wouldn't be so ridiculous as to request its own homepage from your server. Somebody is testing to see if they can get your server to proxy to baidu for them.

But why so often then? Surely at some point you'd know there's an open port there and stop querying it.

Surely at some point these same people would realize there's no admin.php on my web server, but there they are, still looking for it...

because they are automated bots...

I get several pages printed per day, some with other sites listed. Very happy to be enlightened about the source!

Can confirm this works on my Epson printer (SX535WD).

@PJL RDYMSG DISPLAY="Tray 1 Load Plain Letter"

Confuses the heck out of your coworkers.

A while back I hacked a cronjob to update mine with the current weather forecast.

In fact, it's here http://www.elidickinson.com/story/weather-updates-your-hp-pr...

I think it was the first python script I wrote.

The strings contain "sqli" which some of the posters inferred to mean they were experiencing a SQL injection. I doubt this is actually the case. I will say, though, that I have a Brother printer like the one described where I work and have seen similar odd strings on papers that come out of it. At least one time, it's just printed gibberish. I think the common denominator is that these printers are openly shared on a network with a public IP (at least mine is...it's at a big University with public IPs fore everybody). I don't know if this is related or not, though.

The strings contain "sqli" which some of the posters inferred to mean they were experiencing a SQL injection. I doubt this is actually the case.

I'm certain you're correct. I've seen many SQL injection attacks, and not one of them has ever labelled itself as such.

Seven hours after posting, I've racked up 21 points for this comment.

I think this shows a defect in the blind voting we've had here for the last year or so. There's no way this off-hand comment is worth that much karma, but nobody can see that I'm being overcompensated for it.

(Sorry for the OT meta-post)

Maybe it's time for something similar to the IPv4 Evil Bit - http://www.ietf.org/rfc/rfc3514.txt

  '; DO $$ BEGIN RAISE NOTICE 'Commencing SQLI.'; END $$; -- Use acronym "SQLI" for stealth reasons

There's also "nmap" in the output, so this could be part of a combined port and vulnerability scan that hit the network printer.

I think this idea is on to something and warrants more investigation.

Edit: That's probably what it is. A port scanner climbed through port 9100 and hit the JetDirect port on the printer, which prints whatever raw data it is given. Cool find!

I'm in the sqlite camp.

That would make sense, especially if it was just some kind of debugging message mentioning the sqlite version.

Spoke with a a security guy years ago who got called to a company after they'd been accused of running a warez server. After a bit of digging around he finally found the server on a printer that was running some ancient un-patched version Solaris.

Don't trust your printer! There were a lot of demos of printer hacks at 28c3 and basically I think I might not print anything ever again. A lot of these things have their firmware implemented in postscript. Updating the firmware consists of printing a special document. It's pretty mental tbh. Your jaw will be scraping along the floor at some of the holes these things have.

Print Me If You Dare: http://www.youtube.com/watch?v=njVv7J2azY8

Hacking MFPs: http://www.youtube.com/watch?v=PqL5P46m_zQ

EDIT: Beaten by 4 hours. Oh well.

I've got a HP printer pretty similar to the one mentioned in the thread. In the course of trying to set it up, I by chance pointed my browser to the printer's network printing port. Interestingly enough it printed out all my browser headers. It seems like these printers just spit out anything that hits that port.

Yes, I used to do a netcat on printers to print for free in college.

Tip for networked computers in colleges, schools, workplaces, and similar environments: You can upload postscript files to them via FTP, this lets you bypass the printer queue running on a server somewhere. Why would you want to do this? Various nefarious reasons, but the reason I did it was because in 90+% printer outages at university, it was the queue server and not the printer itself experiencing a fault.

If you don't know the IP address of the printer, you can normally get them to print out a diagnostics page by fiddling with the buttons, and this page will contain that information. So far I have always succeeded at logging in with guest credentials.

To network admins who don't want people bypassing their queues: vlan your printers!

We had this problem when I was still at high school. It worked for the most part, but when us photography students started printing to the photo printer all hell broke loose. Things would frequently take 30+ minutes to go through the Pharos print server. At the time they had just hired a new IT guy so we asked him if he could set the printer up on our personal laptops (we only had 3 workstations in the room). After much frustration he managed to get it running, except he accidentally set them up to print directly to the printer, not via the print server. Magically things started popping out after a minute or two, which got the teacher inquisitive. Eventually they realised that we weren't being charged for printing anymore when the print information had our personal computer usernames rather than ID numbers but couldn't blame us as they had set it up themselves. After being told not to do that anymore, we all just set up secondary users with our ID numbers so it all looked legit.

Ah, yes - I forgot to mention that side effect, bypassing the print queue will also mean you don't get charged (assuming your institution has a print credits system set up).

I added several strategically-located university printers to my /etc/printcap such that I could just-in-time print homework from my dorm and pick it up on my way to class. True cloud printing ftw!

I never would have expected that, but it would certainly explain what we're seeing.

I once found a public printer which I don't think was supposed to be public. There wasn't any way to contact the owner since it appeared to be in a different country based on IP address.

...so I set it up as a printer and printed a bunch of lolcats to it.. A few days later it wasn't accessible any more =)

You could have, you know, printed out that the printer was publicly accessible on the printer itself.

Yeah, that was part of the lolcats image. I can't quite remember what I did but it wasn't malicious.

The guy on the other side must have had an interesting day. Suddenly lolcats.

<snip> I'm going to guess that the common theme here is that we're all forwarding port 9100 or 631 to our printer to allow ourselves to print from outside the network, which sets up an HTTP server at that address open to the internet. </snip>

Seriously?! Ignoring the fact that I can't remember when I last print something, who needs to print to their house from the internet? Can't they just print it when they get home?

Semi off topic anecdote: when I was at Lockheed the head of HR came to me with a Manila envelope and said "I need to know who printed this and when! And I need to know now!"

I took the envelope and looked at it... It was a bunch of prints of gay porn and gay porn websites.

After a few minutes of digging, it was revealed to be one of the directors in the company had printed them late the night before. Checking the badge system he wasn't in the building. Checked VPN logs and he was logged in at the time.

He was mistakenly on VPN from his house and printed stuff that went to his default printer which happened to be the one in the office.

He was previously thought to be a married straight guy.

Similar scenario happened where I was working one summer. The printer in the office I was borrowing started printing porn while I was out. "I swear it wasn't me!" Not sure if they identified the guilty party.

> He was previously thought to be a married straight guy.

Not sure why this is relevant. Are you saying Lockheed has/had a don't-ask-don't-tell policy?

Eh, it could just mean that technological mishaps can have real world consequences. Presumably the man did not want people to know that he was gay, whatever the reason for that was we can't say for sure.

Maybe that was worded inadequately; he was a married straight guy, with kids... But his printing spree was kind of a shock.

A workplace sure as hell should be "don't ask". I don't know what leap of logic you used to get "don't tell", though.

Can you really not think of any cases?

- They have expensive software on a computer in one place that does not have a printer, and a printer at home without the software - A couple that works from home likes to collaborate while one of them is one the road, with one printing stuff directly to home after meeting with clients - They like to print stuff from work while things are on their mind (itineraries, boarding passes, etc.) so that they don't have to think about logistics once they're home with family - etc.

Beware the sentence that starts with "Can't they just..."

I've actually found it useful in the past to be able to print stuff when I'm not in the office - not useful enough that I really care about the feature, just that since it's there it saves a small step in the alternative of emailing then having them open and print it.

Why not setup a VPN to your home?

Isn't this the purpose of Google Cloud Print http://www.google.com/cloudprint/learn/

Would be to my office, and why not because I've never needed to. Our current printer can't do printing from over the internet and I don't care enough to bother setting it up.

For what it's worth. This issue (or an issue very similar to this issue) has been discussed on the nmap seclist.

From the email:

"....However, I've noticed a problem now that I've put this into production. When it scans a network printer, the printer spews out garbage, I have a couple wads of paper on my desk with one or two lines of garbage at the top of each page."


They're getting portscanned. I'm surprised this isn't common knowledge.

If you throw ascii at a jetdirect printer, it will generally just print it out for you. I've used this to debug printers before, as well as to goof around with my coworkers a bit.

This reminds me when I was in college- I used to have VNC running on a public IP without any authentication (on purpose). Randomly, bots would connect, take over control of the screen, and print a bunch of test characters out in Notepad before disconnecting.

I don't know if they just hit it by luck or if they were actively looking for/testing/saving open VNC servers.

You're always being scanned for everything. If I got a penny for every time my company was swept by a scanner, I'd be making more than my salary.

This is almost an understatement.

My home servers get SLAMMED on a daily basis by a whole wonderful plethora of bots. Most recently has been Muieblackcat. Going on the whole salary analogy: I'd make my current salary plus a bit if I had a penny for ever scan on the box in my living room. I keep the Ukrainian IP's off my blacklist just for fun. Nothing sensitive on the server, just my web playpen. I kind of hope that one of these exploits works one day so I can see where I've slipped up.

It's not a scan, it's free surprise pen testing!

The only difference between pen testing and hacking is permission.

I vaguely recall that unpatched XP averages just a couple minutes on a network before being owned. If you didn't have the SP on a disc it was a race between the updates and the bots. That might have been old linux propaganda though.

Not propaganda, I saw a great example of this once bringing up a Windows system on a residential line shared with other apartments. Seconds after the box's "Hey, there, Windows Update, got something for me?", the network slowed to a crawl and our router's (rejected) incoming connection log grew hot and heavy. Would be lovely if the massive influx of attempted incoming connections were just eager WindowsUpdate systems, but unless Microsoft moved their infrastructure to China and Romania...

Anyway, there's a reason to travel with your own locked-down router and to never connect through anyone else's connection directly, especially if you're running Windows. Even that's not foolproof, but at least you've got an Angry Bouncer protecting the Windows Club. Windows Update connections totally feel like spotlights and booming bass.

It was certainly true at large LAN parties. I had to reinstall Windows at QuakeCon one year, and it was nearly impossible to win the race against the malware floating around the network. Putting your computer on the same LAN as 3000 gamers (most of whom download a lot of warez) isn't exactly the same as connecting your computer to the internet through a firewall, so I'm not sure if my experience at QuakeCon generalizes to a typical PC setup.

Without SP2 installed, I had multiple systems infected before I had a chance for the service pack to finish installing. I eventually had to order it on CD from Microsoft.

I'm guessing that Windows Firewall (included in SP2) buys you some time, but I can't see unpatched system lasting very long.

When I showed up for my first day of work 8 years ago, a newly installed WinXP system awaited me. I had to patch the system that morning because it had been powered on and connected to the network for several days already.

Why would you have it set it up that way, especially after witnessing bots connecting?

It was an old PC that I didn't care about and only used for testing. I was into security stuff, so it was interesting to see the bots connect (which it why I left it open).

Pretty typical behavior when running vulnerability scanning against a printer target.

Many printers will simply print whatever data comes into certain ports. Have seen similar behavior many times when running web scanning against a printer accidentally instead of a webserver.

I get that this just looks like a scan but it's strange that half a dozen people reported it at the same time (so the problem is likely more widespread). How long would it take to send these packets to all public ips in the world (real question, I have no sense of the scale of ip addresses)? I guess it could be that the ips are known to be running printers by a previous scan. Maybe the printers contact home and the HP accidentally sent them a bad message?

I did a project in college where I scanned networks for IPP ports and would print agit prop to them

The printer panopticon. Oh art school.

Heh... a similar "project" when I was in high school got me sent to the principal's office once :-)

Yeah, I got a nice visit from campus security.

> ... printer panopticon ...

Oh "BBrother" what an ironic comment this is .. /takes off paranoid hat

It seems to me that someone was scanning their network for specific services- probably, some DBMS. Printer received the initial communications packet(s) and happily printed whatever was received.

In the printed stuff it also says 'nmap'

Most probably it comes from someone running penetration testing tools against the printer on the network

Could this be related with Trojan.Milicenso or Trojan.Eorezo? This is the latest (although its from June/July) threat I know of that prints random stuff

http://www.symantec.com/connect/blogs/trojanmilicenso-paper-... http://www.symantec.com/docs/TECH190982 http://isc.sans.edu/diary.html?storyid=13519

this would be a great attack if you could get the printers to print ads!

Those are called fax machines.

There are known attacks on printers eg via firmware upload https://lwn.net/Articles/469865/

Although this mostly looks like scans.

With IPv6 and public IPs this is going to be so much fun. :)

From the comments it seems that it's people sharing their printer, apparently some form of access over the internet (or local network).

Given that these are connected to Airports, they are probably using Back to my Mac:


Services shared via Back to My Mac aren't directly accessible from the internet at large. Services shared using Wide-Area Bonjour are publicly exposed.

For slightly more amusing attacks on printers, there is an android app available - HP Printer Fun.


One poster said his/her printer did it on a machine not connected to the network, so it may not be a print server scanning thing.

Yeah that was the outlier. It seems more likely to me that the poster who said that failed to properly disconnect the printer from the network.

I think he meant that his printer was still connected but he unplugged his Mac.

I've so far been unable to replicate this problem.

this is pretty damn scary

No need to worry, all Mac's are virus, malware and attack proof and so (by the law of distortion of reality) are any devices or networks attached to a Mac. Go about your business and forget about that pesky "security" thing everyone else likes to talk about. Just etch a picture of Steve striking a thoughtful pose on the lid of your laptop and all your problems will be forgotten.

Thanks for injecting helpful -- not to mention hilariously witty -- points into this conversation. You left out the following points:

* Apple's stuff is incredibly overpriced

* Apple never invented anything, it's just good at marketing

* Apple's lawsuits are all based on rounded rectangles

* Xerox invented the GUI from scratch and it was perfect

* Anyone who uses an Apple device is a hipster fanboi cultist

Welcome to hecklernews.

slashdot -> digg -> reddit -> hackernews -> slashdot?

Also: sarcasm is like violence -- any problem it can't solve just requires more sarcasm.

I am not a hipster.

If Apple's stuff wasn't incredibly overpriced they wouldn't have $100B in the bank. Steve's ghost would be sad and they wouldn't be able to bankroll all their lawsuits (which would also make Steve's ghost sad).

Apple USED to be good at marketing. Have you seen those new ads? The ghost of Steve just barfed in his mouth a little bit. Quick! Someone call Justin Long and John Hodgman, that was working okay...

Rounded rectangles are the new lucite, and therefor not relevant in any way. Apple's lawsuits were based on Steve Jobs being a big baby about how well Android was selling. Now? Who knows how the Apple lawsuit of the day gets kicked off, but you can bet it involves Androids (and not the Star Trek variety).

Now you're just being thick, the first GUI was done by Doug Engelbart (Stanford Research) in '68. It was perfect. Any CS student who took an HCI knows that. Extra points if you know what HCI stands for and don't have to google Engelbart to verify, but I bet you do :)

Some people who use Apple devices just want some of the discretionary income that hipster, fanboi (and fangrl, you sexist) and cultists seem quite happy to part with. Will that be cash or credit?

The anti-Apple trolls have never heard of Douglas Englebart ;-)

Apple has made bad ads before and will make bad ads again. I do think the celebrity/Siri and genius ads are disappointing, but I'm not convinced Apple is no longer any good at marketing because it produced some bad ads.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact