Who logged into my printers?

Question

This April 1st, someone logged into the printers and changed the ready screen to "vote for josh" on numerous HP LaserJet printers. I know that they must have logged in via telnet. And I found this article about how to perpetrate this activity: http://blog.mbcharbonneau.com/2007/01/22/change-the-status-message-of-a-hp-laserjet-printer/ I am just wondering, how can I figure out who has done this mischief? Does HP telnet on printers keep an access log? If so, how can I access it?

enter image description here

UPDATE: Oh hey, vote for josh is back today, but telnet config is disabled, and the admin password I set up is removed?? How can I lock this BS out?

UPDATE: I updated the firmware from here: but the message persists in coming back. I can't get rid of it.

One of the more entertaining questions I've seen in a while… I hope you get this figured out! P.S. Ask Josh if he did it. — Steve Meisner, Apr 01 '14 at 17:23
Interesting. We also have a few LaserJets displaying "Vote for Josh" this morning. Our print server manager is named Josh, but denies his involvement, and after seeing this post, I'm inclined to believe him. Which model numbers are affected for you? We have it on a couple P4015. Any chance this was an attack (the three printers I've seen all have external NATs). Or a clever HP Engineer's 4/1 Timebomb? — , Apr 01 '14 at 18:11
Laserjet 4000 is the model of one. Another is a laserjet 4650dn — j0h, Apr 01 '14 at 18:16
Seen the same on a Kyocera that also has port 9100 exposed for RAW printing, so it's definitely some emerging automated tool. I'm just going to tighten down access to 9100 from the /16 of the external company we work with that need to print to it. — George, Apr 02 '14 at 13:14
Im trying to think what the network traffic might look like for this attack. If its some blind bot, then likely, it hit my webservers with junk. Though thats not much for a starting place. — j0h, Apr 02 '14 at 21:49

score 4 · Answer 1 · answered Apr 03 '14 at 00:53

If your printers all run through a centralized HP jetdirect print server, then you might have logs depending on how that server is setup. contact whomever runs that device.

From my own investigations, there are no 'access logs' on the printers, and no way to track it unless your specific network does some sort of logging. If your printers are set up individually like in most cases, then you don't have anything, really.

This is a interesting point though! I know that printers at Western Kentucky University and Northern Michigan University have both been displaying this message. From the other comments there are more people experiencing this.

It's not a meme that I know of, and there's no real connection between affected areas. This points to it being an automated process of some sort. Probably one that spams telnet ports hoping to find an unprotected printer.

What I'm getting at is that you do not have a specific prankster to hunt down, but a virus/worm, one that may have infected many machines. I'd guess it to be somebodies april fool's prank. I know at least some of these affected printers were behind a NAT, so it makes sense that the commands came from within the network, and given the relatively wide geographical area of effect, it must either be a group of coordinated individuals doing something completely inane, or it's a program.

i wrote a monitoring script, in shell, Looks like I got hit again around Apr 3 21:09:24 EDT 2014. I'm hopeful the networking guys can get this straitened out, if i can provide a time-stamp. — j0h, Apr 04 '14 at 02:53
Info about the message: The text is a reference to the nascar car that the digital currency community sponsored over at www.reddit.com/r/dogecoin. They wanted Josh Wise (who was driving the car) to win because well, it's one ridiculous car. — Tek, May 17 '14 at 02:23

Who logged into my printers?

1 Answers1