We have seen this on our campus. It corresponds well to portscans on port 515, when we get scanned we get the printouts with a page with some text (which I don't have handy, sorry) followed by lots of pages with "U" and "1" on them. My guess at this point is that people are probing for an exploitable LPD and a side effect is that some HP printers start coughing up garbage. It could be a DOS attack against printers, but it always coincides with someone doing a portscan of port 515 on our network so I think it is a side effect. We blocked port 515 at the firewall and saw a big drop in outgoing traffic, so my other guess is that we were maybe being used in DOS attacks by whatever this exploits. Unfortunately I don't have a packet trace of the attack, just a bunch of snort portscan.log entries and since we blocked 515, I won't be able to collect any packets. jbh -----Original Message----- From: Brendan Murphy [mailto:bmurphyat_private] Sent: Tuesday, June 26, 2001 2:32 PM To: incidentsat_private Subject: Printer exploit? Hi all- More than a few of our networked HP Laserjet printers have been sporadically printing out entire trays of paper that have a '1', 'u', 'i' in the upper right hand corner of the page, -or- a string of text along the top of the page. The jobs don't appear on the queue. This problem was noticed very rarely beginning a couple of months ago, but has increased in frequency over the last two evenings. ...and it usually only occurs during the evening...but has occured during the day. Again, it usually goes through the entire tray of paper unless the printer is shutdown. Has anyone heard of any exploits to LaserJet printers, or printers in general that might cause this problem? We've been through the gambit with HP and nothing seems to match... Some facts, just in case: - Printers are using JetDirect cards over TCP/IP - Some users connected through print server, others directly. - Printers are NOT the same model I am going to sniff out the traffic this evening to see if I can find anything...but thought I might be able to get a head start in the event that any of you had heard of an exploit that might be causing this one.... Regards, Brendan Murphy Network, Video, and DSL Services University of Colorado-Denver Computing, Information & Network Services (CINS) ~~~ "Obstacles are only things people see when they take their eyes off their goals." ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jun 27 2001 - 18:01:45 PDT