[unisog] QMS printer sending data to Internet sites?

E. Larry Lidz ellidz at eridu.uchicago.edu
Mon Sep 16 22:51:20 GMT 2002

Rita Seplowitz Saltz writes:
>We received (and verified) an odd report.  A QMS printer on campus appears
>to be sending packets to Internet sites, which perceive the traffic as the
>usual hostile scans.  Has anyone else seen this rather bizarre phenomenon?

We've seen a QMS printer do the same thing. The scanning activity was
limited to our local class B and was for port 80. We've seen it before
with SNMP on HP printers (which have a "locate other printers" feature
or something stupid like that). 

We pulled the machine from the network and had the vendor come in to
fix it. They said they had never seen one compromised before and
reinstalled the firmware or something like that. We weren't
particularly confident that that would fix the problem but we haven't
seen it scan since.

Our thought was that it might have been an embeded version of IIS and
been infected with Nimda or CodeRed, but if that were the case I would
have expected it to start scanning out again...

I'll say that, in general, printers worry me quite a bit. Right now
the one in my office is out of paper because some would-be copyright
violator saw that the PORT1 directory on its ftp server was world
writable and tried to put some movie or something onto it causing a ton
of garbage to be printer out. As far as I can tell there is no way to
disable any of the services that the thing provides (of which I only
really want to have the lpd port open).

They're a nightmare waiting to happen. I'm thinking that I might need
to firewall it off, which'll be more of a pain than I think a printer
should be.


E. Larry Lidz                                        Phone: +1 773 702-2208
Sr. Network Security Officer                         Fax:   +1 773 834-8444
Network Security Center, The University of Chicago
PGP: http://security.uchicago.edu/centerinfo/pgpkeys.shtml

More information about the unisog mailing list