Compromised printer? Meraki Go

Solved
Meraki_Maki
Conversationalist

Compromised printer? Meraki Go

Today the office printer produced three sheets with what seems to be random characters, and in the middle a string random1random2random3random4. This raised a red flag with us. Is this something to be worried about? We use the full stack of Meraki Go (router, switch, AP) with Cisco Umbrella subscription activated for the router. The printer model is Brother DCP-L5500DN, which is connected over ethernet directly to the router.

 

Here are the prints:

Screenshot 2021-04-28 at 21.14.45.png

Screenshot 2021-04-28 at 21.15.10.pngScreenshot 2021-04-28 at 21.14.59.png

 

Could this be an attack? Any advice on how to approach this from here on? Thanks!

1 Accepted Solution
BrandonS
Kind of a big deal

Look what I found.  I am going to try this on some of my printers: https://github.com/nmap/nmap/issues/2237

 

Describe the bug
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

To Reproduce
Run the following command on a printer device :

nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

 

- Ex community all-star (⌐⊙_⊙)

View solution in original post

7 Replies 7
BrandonS
Kind of a big deal

I'd give that a very low, almost zero probability of any kind of attack.

 

I would dig into the printer settings and web GUI to see what you can find about that print job and look through logs, etc.  How certain are you that it isn't just a corrupt print job from one of your users?

 

- Ex community all-star (⌐⊙_⊙)
Meraki_Maki
Conversationalist

Hi Brandon, thanks for the reply. This print job came out several times when no one gave this command. Also a quick Google search provided a warning about exactly this string: random1random2random3random4. This caught my attention. See screenshot below. Not exactly sure about what to make of this... 

 

Good tip about the print job settings. Unfortunately I reset the printer in a panic move. However if such a print comes out again, I will definitely look into this. 

 

Screenshot 2021-04-28 at 21.36.54.png

BrandonS
Kind of a big deal

Interesting.  I would not expect an NMAP scan to cause a printer to print anything, but I suppose it is possible.  Do you have any port forwarding on your firewall to the printer or anywhere else that could even allow outside access into your network?  If not, I suppose it is possible someone inside the network was playing around and caused this unintentionally (or intentionally).

 

Also- this is not really the right forum for Meraki Go.  This is "regular" Meraki here.  Meraki Go has it's own community: https://community.meraki.com/t5/Meraki-Go-Community/ct-p/go

 

Best

- Ex community all-star (⌐⊙_⊙)
BrandonS
Kind of a big deal

Look what I found.  I am going to try this on some of my printers: https://github.com/nmap/nmap/issues/2237

 

Describe the bug
Aggressive option '-A' on printers produce unwanted print : binary blob with 'random1random2...'.
The printed payload 'random1random2...' is located here : "/usr/share/nmap/nselib/shortport.lua" line 261

To Reproduce
Run the following command on a printer device :

nmap -A X.X.X.34 -vvvvvvvvv -p 9100 --script-trace

 

- Ex community all-star (⌐⊙_⊙)
Meraki_Maki
Conversationalist

Bless you! This explains it all. I certainly did not expect this. The reply from my colleague on our Slack channel just now: "oh yeah, today I ran a few nmap scans". 

 

(Yes... I know)

 

In any case, maybe this thread can be useful for some others in the future. Will stick to the Meraki Go community from here on. Thanks for the help, Brandon!

hidden0
Meraki Alumni (Retired)
Meraki Alumni (Retired)

What a fun read 🙂 glad the mystery has been solved!

 

Who would have thought an nmap scan would cause a printer to spit out garbage 😄

CarolineS
Community Manager
Community Manager

I've just moved this post over to the Meraki Go forum; thanks for the heads up, @BrandonS

Caroline S | Community Manager, Cisco Meraki
New to the community? Get started here
Get notified when there are additional replies to this discussion.