22
6
This April 1st, someone logged into the printers and changed the ready screen to "vote for josh" on numerous HP LaserJet printers. I know that they must have logged in via telnet. And I found this article about how to perpetrate this activity: http://blog.mbcharbonneau.com/2007/01/22/change-the-status-message-of-a-hp-laserjet-printer/ I am just wondering, how can I figure out who has done this mischief? Does HP telnet on printers keep an access log? If so, how can I access it?
UPDATE: Oh hey, vote for josh is back today, but telnet config is disabled, and the admin password I set up is removed?? How can I lock this BS out?
UPDATE: I updated the firmware from here: but the message persists in coming back. I can't get rid of it.
3One of the more entertaining questions I've seen in a while… I hope you get this figured out!
P.S. Ask Josh if he did it. – Steve Meisner – 2014-04-01T17:23:49.087
16Sounds like it was Josh. – None – 2014-04-01T17:23:58.837
3Interesting. We also have a few LaserJets displaying "Vote for Josh" this morning. Our print server manager is named Josh, but denies his involvement, and after seeing this post, I'm inclined to believe him. Which model numbers are affected for you? We have it on a couple P4015. Any chance this was an attack (the three printers I've seen all have external NATs). Or a clever HP Engineer's 4/1 Timebomb? – None – 2014-04-01T18:11:21.627
Laserjet 4000 is the model of one. Another is a laserjet 4650dn – j0h – 2014-04-01T18:16:20.227
2Seen the same on a Kyocera that also has port 9100 exposed for RAW printing, so it's definitely some emerging automated tool. I'm just going to tighten down access to 9100 from the /16 of the external company we work with that need to print to it. – George – 2014-04-02T13:14:19.390
Same thing at my company in Toronto. HP 4200 – Chris Cudmore – 2014-04-02T20:55:09.853
Im trying to think what the network traffic might look like for this attack. If its some blind bot, then likely, it hit my webservers with junk. Though thats not much for a starting place. – j0h – 2014-04-02T21:49:31.793
2Wow, that is an old exploit. Update your firmware. – Keltari – 2014-04-07T15:28:44.450
Firmware update seems to have fixed it. – j0h – 2014-04-08T20:51:03.627
Josh is a bamf. – Benjamin Atkin – 2014-05-15T22:20:30.147
1(Dean Wormer voice) "Doooogecooooin!" – mootinator – 2014-05-16T19:06:08.657