Most of our printers are set up to use the method John Valenti describes:
the campus network people gave us two IP address ranges to/from which the
building router restricts access. One allows traffic only from the P-A
Department's addresses within the BPS building and the other allows
traffic only from on-campus addresses (35.8.x.x-35.15.x.x). Some of our
printers are in the first range, while most are in the second (so that
MSUNet WiFi systems can see them, among other reasons). Even expanding
the candidates to all of MSU, that's still only tens of thousands rather
than hundreds of millions of possible sources of bogus print jobs.
These particular print jobs aren't even really print jobs; they are
attempts to find unrestricted HTTP proxy systems, so that web sessions
can be set up with sites which might be otherwise inaccessible due to
restrictions from firewalls, government-imposed blackouts, or other
network impediments, or to simply make it harder to track back who has
accessed a site ("anonymizing"). Most PCs will simply ignore such HTTP
requests even if they aren't running firewalls, because they don't have
anything running on them that listens to those ports in the first place,
or if they do, the request syntax is HTTP-specific, so unless the PC's
software is a web server or proxy server, the program rejects them. The
printers are probably ignoring lots of these requests, too, on all the
TCP ports they're not paying attention to. The problem occurs when the
search for a proxy tries a port that the printer is listening to print
jobs on (ports 23, 631, 9100, etc., depending on the capabilities of the
printer and its settings), so the HTTP request is seen as something to
print, and the printer does its thing, and out it comes in hard copy.
Most H-P printers in the past 10 years or so have supported built-in
access control, usually configurable via the printer's web management
interface. Most other brands have something of the kind, too, at least
in the higher end model lines. If the printer has a wide-open MSU IP
address, these access control settings can be configured so that the
printer ignores network traffic unless it comes from particular IP
addresses or IP address ranges. I've used this access control method
to protect certain printers that cannot use the building router-enforced
restricted IP address scheme.
--
George
-------------------------------------------------------------------------
George J Perkins http://www.pa.msu.edu/people/perkins/
Biomedical Physical Sciences
567 Wilson Road, Room 1209B Phone: 517-884-5467
East Lansing, MI 48824 FAX: 517-353-4500
________________________________
From: Shaun Leininger [[log in to unmask]]
Sent: Thursday, June 07, 2012 09:59
To: [log in to unmask]
Subject: [MSUNAG] Web Attack on HP Laserjet Printers?
I suspect that this is some sort of attempted scan/attack, but I’m uncertain how to move forward towards complete understanding of this, or a solution. Any thoughts?
On multiple occasions, networked HP Laserjet printers have spit out single page prints with the following information:
GET http://www.sina.com.cn/ HTTP/1.1
Host: www.sina.com.cn
Accept: */*
Pragma: no-cache
User-Agent:
GET http://www.baidu.com HTTP/1.1
Host: www.baidu.com
Accept: */*
Pragma: no-cache
User-Agent:
GET http://www.sciencedirect.com HTTP/1.1
Host: www.sciencedirect.com
Accept: */*
Pragma: no-cache
User-Agent:
Both appear to be popular Chinese websites, and not malicious on their own. Prints have appeared on HP Color Laserjet 3700, HP Laserjet 2200, HP Laserjet P3005dn. The printers are networked, not controlled by a print server, and have management passwords turned on.
Disabling non-essential services on the printers from their web consoles has not stopped the prints. I do not manage the local network, and do not have any network/firewall logs to examine.
Research has turned up others reporting identical prints: h30434.www3.hp.com/t5/Printer-Networking-and-Wireless/HP-Network-Printer-periodically-prints-a-page-from-a-web-crawler/td-p/1032985<UrlBlockedError.aspx>
Thanks,
Shaun Leininger, CCNA
Information Technology Professional
Department of Anthropology
517-884-0388
