Who logged into my printers?

22

6

This April 1st, someone logged into the printers and changed the ready screen to "vote for josh" on numerous HP LaserJet printers. I know that they must have logged in via telnet. And I found this article about how to perpetrate this activity: http://blog.mbcharbonneau.com/2007/01/22/change-the-status-message-of-a-hp-laserjet-printer/ I am just wondering, how can I figure out who has done this mischief? Does HP telnet on printers keep an access log? If so, how can I access it?

enter image description here

UPDATE: Oh hey, vote for josh is back today, but telnet config is disabled, and the admin password I set up is removed?? How can I lock this BS out?

UPDATE: I updated the firmware from here: but the message persists in coming back. I can't get rid of it.

j0h

Posted 2014-04-01T17:17:51.590

Reputation: 918

3One of the more entertaining questions I've seen in a while… I hope you get this figured out!

P.S. Ask Josh if he did it. – Steve Meisner – 2014-04-01T17:23:49.087

16Sounds like it was Josh. – None – 2014-04-01T17:23:58.837

3Interesting. We also have a few LaserJets displaying "Vote for Josh" this morning. Our print server manager is named Josh, but denies his involvement, and after seeing this post, I'm inclined to believe him. Which model numbers are affected for you? We have it on a couple P4015. Any chance this was an attack (the three printers I've seen all have external NATs). Or a clever HP Engineer's 4/1 Timebomb? – None – 2014-04-01T18:11:21.627

Laserjet 4000 is the model of one. Another is a laserjet 4650dn – j0h – 2014-04-01T18:16:20.227

2Seen the same on a Kyocera that also has port 9100 exposed for RAW printing, so it's definitely some emerging automated tool. I'm just going to tighten down access to 9100 from the /16 of the external company we work with that need to print to it. – George – 2014-04-02T13:14:19.390

Same thing at my company in Toronto. HP 4200 – Chris Cudmore – 2014-04-02T20:55:09.853

Im trying to think what the network traffic might look like for this attack. If its some blind bot, then likely, it hit my webservers with junk. Though thats not much for a starting place. – j0h – 2014-04-02T21:49:31.793

2Wow, that is an old exploit. Update your firmware. – Keltari – 2014-04-07T15:28:44.450

Firmware update seems to have fixed it. – j0h – 2014-04-08T20:51:03.627

Josh is a bamf. – Benjamin Atkin – 2014-05-15T22:20:30.147

1(Dean Wormer voice) "Doooogecooooin!" – mootinator – 2014-05-16T19:06:08.657

Answers

4

If your printers all run through a centralized HP jetdirect print server, then you might have logs depending on how that server is setup. contact whomever runs that device.

From my own investigations, there are no 'access logs' on the printers, and no way to track it unless your specific network does some sort of logging. If your printers are set up individually like in most cases, then you don't have anything, really.

This is a interesting point though! I know that printers at Western Kentucky University and Northern Michigan University have both been displaying this message. From the other comments there are more people experiencing this.

It's not a meme that I know of, and there's no real connection between affected areas. This points to it being an automated process of some sort. Probably one that spams telnet ports hoping to find an unprotected printer.

What I'm getting at is that you do not have a specific prankster to hunt down, but a virus/worm, one that may have infected many machines. I'd guess it to be somebodies april fool's prank. I know at least some of these affected printers were behind a NAT, so it makes sense that the commands came from within the network, and given the relatively wide geographical area of effect, it must either be a group of coordinated individuals doing something completely inane, or it's a program.

Travis Clark

Posted 2014-04-01T17:17:51.590

Reputation: 41

i wrote a monitoring script, in shell, Looks like I got hit again around Apr 3 21:09:24 EDT 2014. I'm hopeful the networking guys can get this straitened out, if i can provide a time-stamp. – j0h – 2014-04-04T02:53:07.720

1Info about the message: The text is a reference to the nascar car that the digital currency community sponsored over at www.reddit.com/r/dogecoin. They wanted Josh Wise (who was driving the car) to win because well, it's one ridiculous car. – Tek – 2014-05-17T02:23:30.467

Asked: 2014-04-01T17:17:51.590

Viewed: 5 719 times

Active: 2017-06-14T20:40:00.143