LISTSERV 16.0 - MSUNAG Archives

The one thing I’ll add to this is that if you stick with just those 35.15.x.x DHCP addresses, they’re not accessible from MSUNet Wireless, so printing from your laptop to one of those printers won’t work when you’re on a wireless connection. I had to go through and change a number of printers to regular static IP addresses for this reason.

Jon

Jon Galbreath, MCSE

Systems Administrator

International Studies and Programs

Helpdesk: 517-884-2148

Ph: 517-884-2144

[log in to unmask]

From: John Valenti [mailto:[log in to unmask]]
Sent: Thursday, June 07, 2012 11:45 AM
To: [log in to unmask]
Subject: Re: [MSUNAG] Web Attack on HP Laserjet Printers?

Shaun,

The solution I've used for several years, and I think is still workable, is to use a building specific IP address.

I'm in S Kedzie, the central network people configured this building to use 35.15.64.x addresses only within the building. So all of our printers are on that subnet, and thus, only accessible from computers located within the building. I don't think there is much value to having a printer accessible from the 1 billion devices on the global Internet, but if you need outside access use a VPN or something.

This greatly reduces the scope of possible problems, to maybe 200 computers on the wired network here.

Perhaps the central people can chime in and say if this is still the plan going forward, but seems to work well here.

-John

HRLR

On Jun 7, 2012, at 9:59 AM, Shaun Leininger wrote:

I suspect that this is some sort of attempted scan/attack, but I’m uncertain how to move forward towards complete understanding of this, or a solution. Any thoughts?

On multiple occasions, networked HP Laserjet printers have spit out single page prints with the following information:

GET http://www.sina.com.cn/ HTTP/1.1

Host: www.sina.com.cn

Accept: */*

Pragma: no-cache

User-Agent:

GET http://www.baidu.com HTTP/1.1

Host: www.baidu.com

Accept: */*

Pragma: no-cache

User-Agent:

GET http://www.sciencedirect.com HTTP/1.1

Host: www.sciencedirect.com

Accept: */*

Pragma: no-cache

User-Agent:

Both appear to be popular Chinese websites, and not malicious on their own. Prints have appeared on HP Color Laserjet 3700, HP Laserjet 2200, HP Laserjet P3005dn. The printers are networked, not controlled by a print server, and have management passwords turned on.

Disabling non-essential services on the printers from their web consoles has not stopped the prints. I do not manage the local network, and do not have any network/firewall logs to examine.

Research has turned up others reporting identical prints: h30434.www3.hp.com/t5/Printer-Networking-and-Wireless/HP-Network-Printer-periodically-prints-a-page-from-a-web-crawler/td-p/1032985

Thanks,

Shaun Leininger, CCNA
Information Technology Professional
Department of Anthropology
517-884-0388