Most of our printers are set up to use the method John Valenti describes: the campus network people gave us two IP address ranges to/from which the building router restricts access. One allows traffic only from the P-A Department's addresses within the BPS building and the other allows traffic only from on-campus addresses (35.8.x.x-35.15.x.x). Some of our printers are in the first range, while most are in the second (so that MSUNet WiFi systems can see them, among other reasons). Even expanding the candidates to all of MSU, that's still only tens of thousands rather than hundreds of millions of possible sources of bogus print jobs. These particular print jobs aren't even really print jobs; they are attempts to find unrestricted HTTP proxy systems, so that web sessions can be set up with sites which might be otherwise inaccessible due to restrictions from firewalls, government-imposed blackouts, or other network impediments, or to simply make it harder to track back who has accessed a site ("anonymizing"). Most PCs will simply ignore such HTTP requests even if they aren't running firewalls, because they don't have anything running on them that listens to those ports in the first place, or if they do, the request syntax is HTTP-specific, so unless the PC's software is a web server or proxy server, the program rejects them. The printers are probably ignoring lots of these requests, too, on all the TCP ports they're not paying attention to. The problem occurs when the search for a proxy tries a port that the printer is listening to print jobs on (ports 23, 631, 9100, etc., depending on the capabilities of the printer and its settings), so the HTTP request is seen as something to print, and the printer does its thing, and out it comes in hard copy. Most H-P printers in the past 10 years or so have supported built-in access control, usually configurable via the printer's web management interface. Most other brands have something of the kind, too, at least in the higher end model lines. If the printer has a wide-open MSU IP address, these access control settings can be configured so that the printer ignores network traffic unless it comes from particular IP addresses or IP address ranges. I've used this access control method to protect certain printers that cannot use the building router-enforced restricted IP address scheme. -- George ------------------------------------------------------------------------- George J Perkins http://www.pa.msu.edu/people/perkins/ Biomedical Physical Sciences 567 Wilson Road, Room 1209B Phone: 517-884-5467 East Lansing, MI 48824 FAX: 517-353-4500 ________________________________ From: Shaun Leininger [[log in to unmask]] Sent: Thursday, June 07, 2012 09:59 To: [log in to unmask] Subject: [MSUNAG] Web Attack on HP Laserjet Printers? I suspect that this is some sort of attempted scan/attack, but I’m uncertain how to move forward towards complete understanding of this, or a solution. Any thoughts? On multiple occasions, networked HP Laserjet printers have spit out single page prints with the following information: GET http://www.sina.com.cn/ HTTP/1.1 Host: www.sina.com.cn Accept: */* Pragma: no-cache User-Agent: GET http://www.baidu.com HTTP/1.1 Host: www.baidu.com Accept: */* Pragma: no-cache User-Agent: GET http://www.sciencedirect.com HTTP/1.1 Host: www.sciencedirect.com Accept: */* Pragma: no-cache User-Agent: Both appear to be popular Chinese websites, and not malicious on their own. Prints have appeared on HP Color Laserjet 3700, HP Laserjet 2200, HP Laserjet P3005dn. The printers are networked, not controlled by a print server, and have management passwords turned on. Disabling non-essential services on the printers from their web consoles has not stopped the prints. I do not manage the local network, and do not have any network/firewall logs to examine. Research has turned up others reporting identical prints: h30434.www3.hp.com/t5/Printer-Networking-and-Wireless/HP-Network-Printer-periodically-prints-a-page-from-a-web-crawler/td-p/1032985<UrlBlockedError.aspx> Thanks, Shaun Leininger, CCNA Information Technology Professional Department of Anthropology 517-884-0388