21

This April 1st, someone logged into the printers and changed the ready screen to "vote for josh" on numerous HP LaserJet printers. I know that they must have logged in via telnet. And I found this article about how to perpetrate this activity: http://blog.mbcharbonneau.com/2007/01/22/change-the-status-message-of-a-hp-laserjet-printer/ I am just wondering, how can I figure out who has done this mischief? Does HP telnet on printers keep an access log? If so, how can I access it?

enter image description here

UPDATE: Oh hey, vote for josh is back today, but telnet config is disabled, and the admin password I set up is removed?? How can I lock this BS out?

UPDATE: I updated the firmware from here: but the message persists in coming back. I can't get rid of it.

Improve this question
11
  • 3
    One of the more entertaining questions I've seen in a while… I hope you get this figured out! P.S. Ask Josh if he did it.
    – Steve Meisner
    Commented Apr 1, 2014 at 17:23
  • 16
    Sounds like it was Josh.
    – Andrew Nee
    Commented Apr 1, 2014 at 17:23
  • 3
    Interesting. We also have a few LaserJets displaying "Vote for Josh" this morning. Our print server manager is named Josh, but denies his involvement, and after seeing this post, I'm inclined to believe him. Which model numbers are affected for you? We have it on a couple P4015. Any chance this was an attack (the three printers I've seen all have external NATs). Or a clever HP Engineer's 4/1 Timebomb?
    – Jeff Soleim
    Commented Apr 1, 2014 at 18:11
  • 2
    Seen the same on a Kyocera that also has port 9100 exposed for RAW printing, so it's definitely some emerging automated tool. I'm just going to tighten down access to 9100 from the /16 of the external company we work with that need to print to it.
    – George
    Commented Apr 2, 2014 at 13:14
  • 2
    Wow, that is an old exploit. Update your firmware.
    – Keltari
    Commented Apr 7, 2014 at 15:28

1 Answer 1

Reset to default
4

If your printers all run through a centralized HP jetdirect print server, then you might have logs depending on how that server is setup. contact whomever runs that device.

From my own investigations, there are no 'access logs' on the printers, and no way to track it unless your specific network does some sort of logging. If your printers are set up individually like in most cases, then you don't have anything, really.

This is a interesting point though! I know that printers at Western Kentucky University and Northern Michigan University have both been displaying this message. From the other comments there are more people experiencing this.

It's not a meme that I know of, and there's no real connection between affected areas. This points to it being an automated process of some sort. Probably one that spams telnet ports hoping to find an unprotected printer.

What I'm getting at is that you do not have a specific prankster to hunt down, but a virus/worm, one that may have infected many machines. I'd guess it to be somebodies april fool's prank. I know at least some of these affected printers were behind a NAT, so it makes sense that the commands came from within the network, and given the relatively wide geographical area of effect, it must either be a group of coordinated individuals doing something completely inane, or it's a program.

Improve this answer
2
  • i wrote a monitoring script, in shell, Looks like I got hit again around Apr 3 21:09:24 EDT 2014. I'm hopeful the networking guys can get this straitened out, if i can provide a time-stamp.
    – j0h
    Commented Apr 4, 2014 at 2:53
  • 1
    Info about the message: The text is a reference to the nascar car that the digital currency community sponsored over at www.reddit.com/r/dogecoin. They wanted Josh Wise (who was driving the car) to win because well, it's one ridiculous car.
    – Tek
    Commented May 17, 2014 at 2:23

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .